Hi Douglas,
Thanks for you answer, it was indeed the selinux-policy version that was wrong. I am now
using the one from RHEL5 and it works!
Kind regards,
Jeroen
From: Douglas Brown [mailto:doug.brown@qut.edu.au]
Sent: dinsdag 10 november 2015 1:37
To: RIJKEN Jeroen
Cc: selinux(a)lists.fedoraproject.org
Subject: Re: Semodule libsepol.permission_copy_callback permission not satisfied
On 9 Nov 2015, at 8:01 pm, RIJKEN Jeroen
<jeroen.rijken@nl.thalesgroup.com<mailto:jeroen.rijken@nl.thalesgroup.com>>
wrote:
Dear all,
Let me begin by saying the SELinux installation I currently use is non-standard. The
platform I work on officially only supports seedit for creating policies, however I simply
prefer writing them by hand. Also, I don't have a GUI. I downloaded the RPM
selinux-policy and installed it, providing the necessary files in /usr/share/selinux/devel
for compiling the policies. The compilation of policies works, installing them with
semodule doesn't. The following error is produced:
[CODE]
root@_________:/root/thales_logging> make -f /usr/share/selinux/devel/Makefile
thales_logging.pp
Compiling wr-standard thales_logging module
/usr/bin/checkmodule: loading policy configuration from tmp/thales_logging.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 10) to
tmp/thales_logging.mod
Creating wr-standard thales_logging.pp policy package
rm tmp/thales_logging.mod tmp/thales_logging.mod.fc
root@_________:/root/thales_logging> semodule -i thales_logging.pp
libsepol.permission_copy_callback: Module thales_logging depends on permission
audit_access in class dir, not satisfied (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule: Failed!
[/CODE]
What does this error mean?
A while back I compiled a policy on a RHEL 6.7 machine then copied it to a RHEL 6.6
machine, but it failed to load and I believe it was the same error. I think the
audit_access permission was added in RHEL 6.7 (but I could be wrong). In a similar way, it
looks like your machine is running a base policy older than that provided by the
selinux-policy rpm you installed and so it can't load a policy because it doesn't
know what the new audit_allow permission is.
The system is running Wind River Linux. I have to write the log files to a file under /opt
(non-ramdisk), which is labeled with usr_t. The directories inside /opt have the proper
labeles. Below the .te file:
[CODE]
policy_module(thales_logging, 0.1)
########################################
#
# Declarations
#
gen_require(`
type usr_t;
type auditctl_t;
type syslogd_t;
type var_log_t;
type audit_log_t;
type syslogd_initrc_exec_t;
')
########################################
#
# thales_logging local policy
#
allow auditctl_t usr_t:dir { getattr ioctl read search };
allow auditctl_t usr_t:lnk_file { getattr ioctl read };
#allow syslogd_t usr_t:dir { getattr ioctl read search };
[/CODE]
The .fc file:
[CODE]
/etc/init.d/syslog-ng --
gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
/opt/platform_log(/.*)?
gen_context(system_u:object_r:var_log_t,s0)
/opt/platform_log/audit(/.*)?
gen_context(system_u:object_r:audit_log_t,s0)
[/CODE]
No .if is present, the one generated when compiling is empty.
Thanks in advance,
Jeroen
------------------------------------------------------------------------------------------------------------
Disclaimer:
If you are not the intended recipient of this email, please notify the sender and
delete it.
Any unauthorized copying, disclosure or distribution of this email or its
attachment(s) is forbidden.
Thales Nederland BV will not accept liability for any damage caused by this email or
its attachment(s).
Thales Nederland BV is seated in Hengelo and is registered at the Chamber of
Commerce under number 06061578.
------------------------------------------------------------------------------------------------------------
--
selinux mailing list
selinux@lists.fedoraproject.org<mailto:selinux@lists.fedoraproject.org>
https://admin.fedoraproject.org/mailman/listinfo/selinux
------------------------------------------------------------------------------------------------------------
Disclaimer:
If you are not the intended recipient of this email, please notify the sender and
delete it.
Any unauthorized copying, disclosure or distribution of this email or its
attachment(s) is forbidden.
Thales Nederland BV will not accept liability for any damage caused by this email or
its attachment(s).
Thales Nederland BV is seated in Hengelo and is registered at the Chamber of
Commerce under number 06061578.
------------------------------------------------------------------------------------------------------------