Bug 600749 - Can't load newly created SELinux modules
Can't load newly created SELinux modules
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
i686 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2010-06-05 17:21 EDT by Christopher J Tapp
Modified: 2010-06-07 16:50 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-06-07 16:50:07 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Christopher J Tapp 2010-06-05 17:21:38 EDT
Description of problem:
Using SEL targeted policy if that is relevant.  When creating a new module using audit2allow the new policy cannot be loaded.

Version-Release number of selected component (if applicable):
Fedora 13

How reproducible:
Every time (also tried a different test module, still couldn't load it.

Steps to Reproduce:
1. Set SEL to permissive.   
2. Carry out new action (starting googleearth in my case) then run "audit2allow -l -a -M filename".
3. Try to load the new module with "semodule -i filename"
Actual results:
[root@peony ~]# setenforce 0
[root@peony ~]# audit2allow -l -a -M selgoogleearth
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i selgoogleearth.pp

[root@peony ~]# semodule -i selgoogleearth.pp
libsemanage.semanage_link_sandbox: Could not access sandbox base file /etc/selinux/targeted/modules/tmp/base.pp. (No such file or directory).
semodule:  Failed!
[root@peony ~]# 

Expected results:
module loaded!

Additional info:
I asked about this in the Fedora forum, see thread for more info - 
Comment 1 Daniel Walsh 2010-06-07 10:03:30 EDT
Looks like something might be wrong with your policy install

Could you try 

yum reinstall selinux-policy-targeted

And see if this blows up.
Comment 2 Christopher J Tapp 2010-06-07 11:59:23 EDT
OK - as it had already been suggested on the forum, i had previously reinstalled selinux-policy and policy-targeted prior to reporting the bug. It made no difference.

As you suggested it again though I reinstalled everything SEL-related including replacing one (or was there two?) sel libraries which I had somehow installed from fedora-updates-testing repo. I removed everything, reinstalled everything from fedora.repo, and lo and behold, it works. the selgoogleearth.pp loaded fine.

None of the sel-related GUI programs work though (SEL Mangament or Policy Generation Tool or any setools). None of them do anything when i click on 'em, but i expect this is a Fedora foible, probably unrelated.  I am looking into this.
Comment 3 Daniel Walsh 2010-06-07 13:22:54 EDT
Run system-config-selinux from the command line and see what error happens?

Are you running with confined users?
Comment 4 Christopher J Tapp 2010-06-07 16:25:43 EDT
Works fine now thanks.  After searching the repos with yum I found the policycoreutils-gui package, which for some reason wasn't installed along with policycoreutils as part of my boot.fedora.org installation.  

All the menu entries were present though, so I can forgive myself for missing a package I didn't even know existed.

So whether this is an SELinux bug or a boot.fedora.org bug, or just a one off unexplainable error with my installation I don't know.  Given the fact that different elements of SELinux had obviously not installed properly, and now this GUI thing, I guess it's a BFO bug.

I'm not about to try to reproduce it though; not got the time sorry.
Comment 5 Daniel Walsh 2010-06-07 16:50:07 EDT
Ok if it happens again, I will reopen.

Note You need to log in before you can comment on or make changes to this bug.