When I built a policy module with the latest selinux-policy-devel (3.0.5-1),
the Makefile didn't enable the MLS/MCS switch.
We had to add "TYPE=mcs" option to avoid the problem.
----------------
[kaigai@masu policy]$ make NAME=targted -f /usr/share/selinux/devel/Makefile
Compiling targted sepostgresql module
/usr/bin/checkmodule: loading policy configuration from tmp/sepostgresql.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 6) to tmp/sepostgresql.mod
Creating targted sepostgresql.pp policy package
rm tmp/sepostgresql.mod.fc tmp/sepostgresql.mod
[kaigai@masu policy]$ su
Password:
[root@masu policy]# /usr/sbin/semodule -i sepostgresql.pp
libsepol.link_modules: Tried to link in a non-MLS module with an MLS base.
libsemanage.semanage_link_sandbox: Link packages failed
/usr/sbin/semodule: Failed!
[root@masu policy]#
----------------
I found the following differences between 3.0.4-1 and 3.0.5-1.
----------------
# enable MLS if requested.
-ifneq ($(findstring -mls,$(TYPE)),)
+ifeq "$(TYPE)" "mls"
M4PARAM += -D enable_mls
CHECKPOLICY += -M
CHECKMODULE += -M
endif
# enable MLS if MCS requested.
-ifneq ($(findstring -mcs,$(TYPE)),)
+ifeq "$(TYPE)" "mcs"
M4PARAM += -D enable_mcs
CHECKPOLICY += -M
CHECKMODULE += -M
----------------
Because $(TYPE) is set as "$(NAME)${MCSFLAG}" in
/usr/share/selinux/devel/Makefile,
the above blocks are skipped, then MLS/MCS is disabled.
I think the above blocks should be reverted.
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai(a)ak.jp.nec.com>
Show replies by thread
I want you to see the following console log:
[root@masu ~]# cd /usr/share/selinux/devel
[root@masu devel]# make -f ./Makefile NAME=targeted
Compiling targeted example module
/usr/bin/checkmodule: loading policy configuration from tmp/example.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 6) to tmp/example.mod
Creating targeted example.pp policy package
rm tmp/example.mod tmp/example.mod.fc
[root@masu devel]# /usr/sbin/semodule -i example.pp
libsepol.link_modules: Tried to link in a non-MLS module with an MLS base.
libsemanage.semanage_link_sandbox: Link packages failed
/usr/sbin/semodule: Failed!
[root@masu devel]#
When we try to build a policy package without specific TYPE
parameter, $(NAME)${MCSFLAG} is set as a default value in the
/usr/share/selinux/devel/Makefile .
$(NAME) is typically one of "targeted", "strict" or "mls",
and
$(MCSFLAG) is "-mls" or "-mcs".
Therefore, "targeted-mcs" will be used when we omit TYPE parameter
for example.
In the next stage, /usr/share/selinux/devel/include/Makefile checks
TYPE parameter whether MLS/MCS should be enabled, or not.
But the above default value is not suitable for the following conditional
statement.
-------------------------------------
# enable MLS if requested.
ifeq "$(TYPE)" "mls"
M4PARAM += -D enable_mls
CHECKPOLICY += -M
CHECKMODULE += -M
endif
# enable MLS if MCS requested.
ifeq "$(TYPE)" "mcs"
M4PARAM += -D enable_mcs
CHECKPOLICY += -M
CHECKMODULE += -M
endif
-------------------------------------
The origin of the problem is that unexpected TYPE will be generated
when we omit it.
The following patch will fixes the problem.
--- Makefile.devel.orig 2007-08-09 16:25:45.000000000 +0900
+++ Makefile.devel 2007-08-09 16:26:08.000000000 +0900
@@ -10,15 +10,15 @@
endif
ifeq ($(MLSENABLED),1)
- MCSFLAG=-mcs
+ MCSFLAG=mcs
endif
ifeq ($(NAME), mls)
NAME = strict
- MCSFLAG = -mls
+ MCSFLAG=mls
endif
-TYPE ?= $(NAME)${MCSFLAG}
+TYPE ?= $(MCSFLAG)
HEADERDIR := $(SHAREDIR)/devel/include
include $(HEADERDIR)/Makefile
--
KaiGai Kohei <kaigai(a)kaigai.gr.jp>