On 9 Nov 2015, at 8:01 pm, RIJKEN Jeroen <jeroen.rijken@nl.thalesgroup.com> wrote:

Dear all,
 
Let me begin by saying the SELinux installation I currently use is non-standard. The platform I work on officially only supports seedit for creating policies, however I simply prefer writing them by hand. Also, I don’t have a GUI. I downloaded the RPM selinux-policy and installed it, providing the necessary files in /usr/share/selinux/devel for compiling the policies. The compilation of policies works, installing them with semodule doesn’t. The following error is produced:
 
[CODE]
root@_________:/root/thales_logging> make -f /usr/share/selinux/devel/Makefile thales_logging.pp
Compiling wr-standard thales_logging module
/usr/bin/checkmodule:  loading policy configuration from tmp/thales_logging.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/thales_logging.mod
Creating wr-standard thales_logging.pp policy package
rm tmp/thales_logging.mod tmp/thales_logging.mod.fc
root@_________:/root/thales_logging> semodule -i thales_logging.pp
libsepol.permission_copy_callback: Module thales_logging depends on permission audit_access in class dir, not satisfied (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!
[/CODE]
 
What does this error mean?

A while back I compiled a policy on a RHEL 6.7 machine then copied it to a RHEL 6.6 machine, but it failed to load and I believe it was the same error. I think the audit_access permission was added in RHEL 6.7 (but I could be wrong). In a similar way, it looks like your machine is running a base policy older than that provided by the selinux-policy rpm you installed and so it can’t load a policy because it doesn’t know what the new audit_allow permission is.

 
 
The system is running Wind River Linux. I have to write the log files to a file under /opt (non-ramdisk), which is labeled with usr_t. The directories inside /opt have the proper labeles. Below the .te file:
 
[CODE]
policy_module(thales_logging, 0.1)
 
########################################
#
# Declarations
#
 
gen_require(`
                type usr_t;
                type auditctl_t;
                type syslogd_t;
               
                type var_log_t;
                type audit_log_t;
 
                type syslogd_initrc_exec_t;
')
 
########################################
#
# thales_logging local policy
#
 
allow auditctl_t usr_t:dir { getattr ioctl read search };
allow auditctl_t usr_t:lnk_file { getattr ioctl read };
#allow syslogd_t usr_t:dir { getattr ioctl read search };
[/CODE]
 
The .fc file:
 
[CODE]
/etc/init.d/syslog-ng      --                             gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
/opt/platform_log(/.*)?                               gen_context(system_u:object_r:var_log_t,s0)
/opt/platform_log/audit(/.*)?                   gen_context(system_u:object_r:audit_log_t,s0)
[/CODE]
 
No .if is present, the one generated when compiling is empty.
 
 
Thanks in advance,
Jeroen
------------------------------------------------------------------------------------------------------------
Disclaimer:

If you are not the intended recipient of this email, please notify the sender and
delete it. 
Any unauthorized copying, disclosure or distribution of this email or its
attachment(s) is forbidden. 
Thales Nederland BV will not accept liability for any damage caused by this email or
its attachment(s). 
Thales Nederland BV is seated in Hengelo and is registered at the Chamber of
Commerce under number 06061578.
------------------------------------------------------------------------------------------------------------


--

selinux mailing list

selinux@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/selinux