Re: question about semodule
On Wed, 2006-09-27 at 11:33 -0400, Sandra Julieta Rueda Rodriguez
wrote:
Hello,
I was playing with semodule (trying to understand how it works) so I added
a module. Later I also played with refpolicy and monolithic building
(again trying to understand how it works).
Now I want to delete the module I loaded before and this is the message I
am getting from the system:
# semodule -v -r KnockServer
Attempting to remove module 'KnockServer':
Ok: return value of 0.
Committing changes:
/usr/sbin/load_policy: Can't load policy: Invalid argument
libsemanage.semanage_reload_policy: load_policy returned error code 2.
/usr/sbin/load_policy: Can't load policy: Invalid argument
libsemanage.semanage_reload_policy: load_policy returned error code 2.
semodule: Failed!
semodule -l works fine (apparently) and one of the items in the list is
KnockServer and its version.
Is there any way to know why semodule -r is failing? What argument is
invalid?
This typically means that the kernel rejected the policy, look for
messages in /var/log/messages. This can happen e.g. if you load a
policy that defines newer classes and permissions and later try to load
a policy that lacks those definitions, which would happen if you tried
loading a newer upstream policy and are now trying to revert to a stock
FC5 policy. The kernel has an overly conservative check at present that
no class or permission definitions can go away after initial policy
load; the actual requirement is just that no class or permission
definition on which the kernel relies should go away.
To recover, do something like:
# Remove the module, rebuild policy, but don't try to load it yet.
semodule -n -r KnockServer
Then reboot with the updated policy.
I have other questions about modules: what is the relationship
between the
modules and the binary policy file installed at
/etc/selinux/(strict|targeted)/policy? Does this file include just base
modules? If so, where are the files for non-base modules stored? Is it
another binary file?
The kernel binary policy file is generated from all of the kernel
policy-related data in the policy module store, including all modules
(base and non-base), local boolean settings, and network object
contexts. This is done by libsemanage, which is used by semodule,
semanage, and setsebool to apply changes to the policy.
--
Stephen Smalley
National Security Agency