Bug 600749 - Can't load newly created SELinux modules
Summary: Can't load newly created SELinux modules
Status: CLOSED WORKSFORME
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy   
(Show other bugs)
Version: 13
Hardware: i686
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-06-05 21:21 UTC by Christopher J Tapp
Modified: 2010-06-07 20:50 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-06-07 20:50:07 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Christopher J Tapp 2010-06-05 21:21:38 UTC
Description of problem:
Using SEL targeted policy if that is relevant.  When creating a new module using audit2allow the new policy cannot be loaded.

Version-Release number of selected component (if applicable):
Fedora 13

How reproducible:
Every time (also tried a different test module, still couldn't load it.

Steps to Reproduce:
1. Set SEL to permissive.   
2. Carry out new action (starting googleearth in my case) then run "audit2allow -l -a -M filename".
3. Try to load the new module with "semodule -i filename"
  
Actual results:
[root@peony ~]# setenforce 0
[root@peony ~]# audit2allow -l -a -M selgoogleearth
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i selgoogleearth.pp

[root@peony ~]# semodule -i selgoogleearth.pp
libsemanage.semanage_link_sandbox: Could not access sandbox base file /etc/selinux/targeted/modules/tmp/base.pp. (No such file or directory).
semodule:  Failed!
[root@peony ~]# 


Expected results:
module loaded!

Additional info:
I asked about this in the Fedora forum, see thread for more info - 
http://forums.fedoraforum.org/showthread.php?p=1367743&posted=1#post1367743

Comment 1 Daniel Walsh 2010-06-07 14:03:30 UTC
Looks like something might be wrong with your policy install

Could you try 

yum reinstall selinux-policy-targeted

And see if this blows up.

Comment 2 Christopher J Tapp 2010-06-07 15:59:23 UTC
OK - as it had already been suggested on the forum, i had previously reinstalled selinux-policy and policy-targeted prior to reporting the bug. It made no difference.

As you suggested it again though I reinstalled everything SEL-related including replacing one (or was there two?) sel libraries which I had somehow installed from fedora-updates-testing repo. I removed everything, reinstalled everything from fedora.repo, and lo and behold, it works. the selgoogleearth.pp loaded fine.

None of the sel-related GUI programs work though (SEL Mangament or Policy Generation Tool or any setools). None of them do anything when i click on 'em, but i expect this is a Fedora foible, probably unrelated.  I am looking into this.

Comment 3 Daniel Walsh 2010-06-07 17:22:54 UTC
Run system-config-selinux from the command line and see what error happens?

Are you running with confined users?

Comment 4 Christopher J Tapp 2010-06-07 20:25:43 UTC
Works fine now thanks.  After searching the repos with yum I found the policycoreutils-gui package, which for some reason wasn't installed along with policycoreutils as part of my boot.fedora.org installation.  

All the menu entries were present though, so I can forgive myself for missing a package I didn't even know existed.

So whether this is an SELinux bug or a boot.fedora.org bug, or just a one off unexplainable error with my installation I don't know.  Given the fact that different elements of SELinux had obviously not installed properly, and now this GUI thing, I guess it's a BFO bug.

I'm not about to try to reproduce it though; not got the time sorry.

Comment 5 Daniel Walsh 2010-06-07 20:50:07 UTC
Ok if it happens again, I will reopen.


Note You need to log in before you can comment on or make changes to this bug.