Hello,
I was playing with semodule (trying to understand how it works) so I added a module. Later I also played with refpolicy and monolithic building (again trying to understand how it works).
Now I want to delete the module I loaded before and this is the message I am getting from the system:
# semodule -v -r KnockServer Attempting to remove module 'KnockServer': Ok: return value of 0. Committing changes: /usr/sbin/load_policy: Can't load policy: Invalid argument libsemanage.semanage_reload_policy: load_policy returned error code 2. /usr/sbin/load_policy: Can't load policy: Invalid argument libsemanage.semanage_reload_policy: load_policy returned error code 2. semodule: Failed!
semodule -l works fine (apparently) and one of the items in the list is KnockServer and its version. Is there any way to know why semodule -r is failing? What argument is invalid?
I have other questions about modules: what is the relationship between the modules and the binary policy file installed at /etc/selinux/(strict|targeted)/policy? Does this file include just base modules? If so, where are the files for non-base modules stored? Is it another binary file?
Thanks in advance, Sandra
On Wed, 2006-09-27 at 11:33 -0400, Sandra Julieta Rueda Rodriguez wrote:
Hello,
I was playing with semodule (trying to understand how it works) so I added a module. Later I also played with refpolicy and monolithic building (again trying to understand how it works).
Now I want to delete the module I loaded before and this is the message I am getting from the system:
# semodule -v -r KnockServer Attempting to remove module 'KnockServer': Ok: return value of 0. Committing changes: /usr/sbin/load_policy: Can't load policy: Invalid argument libsemanage.semanage_reload_policy: load_policy returned error code 2. /usr/sbin/load_policy: Can't load policy: Invalid argument libsemanage.semanage_reload_policy: load_policy returned error code 2. semodule: Failed!
semodule -l works fine (apparently) and one of the items in the list is KnockServer and its version. Is there any way to know why semodule -r is failing? What argument is invalid?
This typically means that the kernel rejected the policy, look for messages in /var/log/messages. This can happen e.g. if you load a policy that defines newer classes and permissions and later try to load a policy that lacks those definitions, which would happen if you tried loading a newer upstream policy and are now trying to revert to a stock FC5 policy. The kernel has an overly conservative check at present that no class or permission definitions can go away after initial policy load; the actual requirement is just that no class or permission definition on which the kernel relies should go away.
To recover, do something like: # Remove the module, rebuild policy, but don't try to load it yet. semodule -n -r KnockServer
Then reboot with the updated policy.
I have other questions about modules: what is the relationship between the modules and the binary policy file installed at /etc/selinux/(strict|targeted)/policy? Does this file include just base modules? If so, where are the files for non-base modules stored? Is it another binary file?
The kernel binary policy file is generated from all of the kernel policy-related data in the policy module store, including all modules (base and non-base), local boolean settings, and network object contexts. This is done by libsemanage, which is used by semodule, semanage, and setsebool to apply changes to the policy.
Hello,
I just executed the given instructions (semodule -n -r) to fix the problem with semodule and now everything is working ok. Thanks.
Now I have a different problem ....
I am trying to create a new user. I added it to the file local.users in the src directory and also to /etc/selinux/strict/users/local.users. I tried first to modify only the one in src but it did not work, so I also modified the other one.
Since I am working based on refpolicy (I already run make install-src) and the instructions I have found are for previous versions I am not sure if I need to run make policy, and then install. Just to be sure I tried, make policy worked ok, but make install does not work ... I guess I am doing something wrong ... could anybody help me with that?
This is the output of make install: Validating strict file_contexts. /usr/sbin/setfiles -q -c /etc/selinux/strict/policy/policy.20 file_contexts libsepol.context_from_record: user rueda is not defined libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert rueda:staff_r:staff_t to sid file_contexts: line 2149 has invalid context make: *** [/etc/selinux/strict/contexts/files/file_contexts] Error 1
rueda is the user I am trying to create by adding it to the local.users file. I am also trying to use it as part of the context for a file.
Thanks in advance, Sandra
Sandra Julieta Rueda Rodriguez wrote:
Hello,
I just executed the given instructions (semodule -n -r) to fix the problem with semodule and now everything is working ok. Thanks.
Now I have a different problem ....
I am trying to create a new user. I added it to the file local.users in the src directory and also to /etc/selinux/strict/users/local.users. I tried first to modify only the one in src but it did not work, so I also modified the other one.
Why not use semanage user -a to add SELinux users or semanage login -a if you want to map a UID to a SELinux user.
Since I am working based on refpolicy (I already run make install-src) and the instructions I have found are for previous versions I am not sure if I need to run make policy, and then install. Just to be sure I tried, make policy worked ok, but make install does not work ... I guess I am doing something wrong ... could anybody help me with that?
This is the output of make install: Validating strict file_contexts. /usr/sbin/setfiles -q -c /etc/selinux/strict/policy/policy.20 file_contexts libsepol.context_from_record: user rueda is not defined libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert rueda:staff_r:staff_t to sid file_contexts: line 2149 has invalid context make: *** [/etc/selinux/strict/contexts/files/file_contexts] Error 1
rueda is the user I am trying to create by adding it to the local.users file. I am also trying to use it as part of the context for a file.
Thanks in advance, Sandra
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Wed, 2006-09-27 at 21:49 -0400, Sandra Julieta Rueda Rodriguez wrote:
Hello,
I just executed the given instructions (semodule -n -r) to fix the problem with semodule and now everything is working ok. Thanks.
Now I have a different problem ....
I am trying to create a new user. I added it to the file local.users in the src directory and also to /etc/selinux/strict/users/local.users. I tried first to modify only the one in src but it did not work, so I also modified the other one.
local.users is deprecated in FC5, and only looked at if SETLOCALDEFS=1 in /etc/selinux/config. In FC5 and later, user manipulation is done via semanage, and makes use of a separate mapping from Linux users to SELinux user identities (the seusers mapping), so that one can add/remove/modify Linux users without modifying kernel policy at all. semanage login manipulates this mapping. semanage user can also be used to manipulate SELinux user identities, but you generally shouldn't need to do that - typically you would just have one SELinux user identity per logical role, and then map Linux users to those SELinux user identities.
Since I am working based on refpolicy (I already run make install-src) and the instructions I have found are for previous versions I am not sure if I need to run make policy, and then install. Just to be sure I tried, make policy worked ok, but make install does not work ...
Um, you do know that FC5 policy is also based on refpolicy, right? And that you should be doing a modular policy build even if you are building from the upstream refpolicy, so that you can continue to use semodule and semanage?
I guess I am doing something wrong ... could anybody help me with that?
This is the output of make install: Validating strict file_contexts. /usr/sbin/setfiles -q -c /etc/selinux/strict/policy/policy.20 file_contexts libsepol.context_from_record: user rueda is not defined libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert rueda:staff_r:staff_t to sid file_contexts: line 2149 has invalid context make: *** [/etc/selinux/strict/contexts/files/file_contexts] Error 1
rueda is the user I am trying to create by adding it to the local.users file. I am also trying to use it as part of the context for a file.
Hi,
I am trying to create a new user. I added it to the file local.users in the src directory and also to /etc/selinux/strict/users/local.users. I tried first to modify only the one in src but it did not work, so I also modified the other one.
local.users is deprecated in FC5, and only looked at if SETLOCALDEFS=1 in /etc/selinux/config. In FC5 and later, user manipulation is done via semanage, and makes use of a separate mapping from Linux users to SELinux user identities (the seusers mapping), so that one can add/remove/modify Linux users without modifying kernel policy at all. semanage login manipulates this mapping. semanage user can also be used to manipulate SELinux user identities, but you generally shouldn't need to do that - typically you would just have one SELinux user identity per logical role, and then map Linux users to those SELinux user identities.
That was my next question. I wanted to know if local.users did not work at all fro FC5. Now I have your answer.
Um, you do know that FC5 policy is also based on refpolicy, right? And that you should be doing a modular policy build even if you are building from the upstream refpolicy, so that you can continue to use semodule and semanage?
yes, you were talking about it two weeks ago. But I did not know that there are things that do not work in the old way anymore.
I was wondering if there is a place (a guide or a book) where I can find updated information. I am learning and it is kind of frustating to try to set up policies and then realize that the main problem is that one is working based on old instructions, and those are not always valid (although some of them are valid some times). When I look for info in internet most of the time I find instructions related to the old ways to work with selinux.
Thank a lot, Sandra
-- Stephen Smalley National Security Agency
On Sun, 2006-10-01 at 15:51 -0400, Sandra Julieta Rueda Rodriguez wrote:
I was wondering if there is a place (a guide or a book) where I can find updated information. I am learning and it is kind of frustating to try to set up policies and then realize that the main problem is that one is working based on old instructions, and those are not always valid (although some of them are valid some times). When I look for info in internet most of the time I find instructions related to the old ways to work with selinux.
Of the available information resources ( http://selinux.sourceforge.net/resources.php3 ), the ones that are more likely to be current include:
- The Fedora Core 5 SELinux FAQ: http://fedora.redhat.com/docs/selinux-faq-fc5/
- The Fedora Project wiki SELinux page: http://fedoraproject.org/wiki/SELinux/
- The recently published SELinux by Example book: http://www.phptr.com/bookstore/product.asp?isbn=0131963694&rl=1
selinux@lists.fedoraproject.org