10:33 a.m.
Hello,
I was playing with semodule (trying to understand how it works) so I added
a module. Later I also played with refpolicy and monolithic building
(again trying to understand how it works).
Now I want to delete the module I loaded before and this is the message I
am getting from the system:
# semodule -v -r KnockServer
Attempting to remove module 'KnockServer':
Ok: return value of 0.
Committing changes:
/usr/sbin/load_policy: Can't load policy: Invalid argument
libsemanage.semanage_reload_policy: load_policy returned error code 2.
/usr/sbin/load_policy: Can't load policy: Invalid argument
libsemanage.semanage_reload_policy: load_policy returned error code 2.
semodule: Failed!
semodule -l works fine (apparently) and one of the items in the list is
KnockServer and its version.
Is there any way to know why semodule -r is failing? What argument is
invalid?
I have other questions about modules: what is the relationship between the
modules and the binary policy file installed at
/etc/selinux/(strict|targeted)/policy? Does this file include just base
modules? If so, where are the files for non-base modules stored? Is it
another binary file?
Thanks in advance,
Sandra
10:58 a.m.
On Wed, 2006-09-27 at 11:33 -0400, Sandra Julieta Rueda Rodriguez
wrote:
Hello,
I was playing with semodule (trying to understand how it works) so I added
a module. Later I also played with refpolicy and monolithic building
(again trying to understand how it works).
Now I want to delete the module I loaded before and this is the message I
am getting from the system:
# semodule -v -r KnockServer
Attempting to remove module 'KnockServer':
Ok: return value of 0.
Committing changes:
/usr/sbin/load_policy: Can't load policy: Invalid argument
libsemanage.semanage_reload_policy: load_policy returned error code 2.
/usr/sbin/load_policy: Can't load policy: Invalid argument
libsemanage.semanage_reload_policy: load_policy returned error code 2.
semodule: Failed!
semodule -l works fine (apparently) and one of the items in the list is
KnockServer and its version.
Is there any way to know why semodule -r is failing? What argument is
invalid?
This typically means that the kernel rejected the policy, look for
messages in /var/log/messages. This can happen e.g. if you load a
policy that defines newer classes and permissions and later try to load
a policy that lacks those definitions, which would happen if you tried
loading a newer upstream policy and are now trying to revert to a stock
FC5 policy. The kernel has an overly conservative check at present that
no class or permission definitions can go away after initial policy
load; the actual requirement is just that no class or permission
definition on which the kernel relies should go away.
To recover, do something like:
# Remove the module, rebuild policy, but don't try to load it yet.
semodule -n -r KnockServer
Then reboot with the updated policy.
I have other questions about modules: what is the relationship
between the
modules and the binary policy file installed at
/etc/selinux/(strict|targeted)/policy? Does this file include just base
modules? If so, where are the files for non-base modules stored? Is it
another binary file?
The kernel binary policy file is generated from all of the kernel
policy-related data in the policy module store, including all modules
(base and non-base), local boolean settings, and network object
contexts. This is done by libsemanage, which is used by semodule,
semanage, and setsebool to apply changes to the policy.
--
Stephen Smalley
National Security Agency
8:49 p.m.
New subject: creating a new user
Hello,
I just executed the given instructions (semodule -n -r) to fix the problem
with semodule and now everything is working ok. Thanks.
Now I have a different problem ....
I am trying to create a new user. I added it to the file local.users in
the src directory and also to /etc/selinux/strict/users/local.users. I
tried first to modify only the one in src but it did not work, so I also
modified the other one.
Since I am working based on refpolicy (I already run make install-src) and
the instructions I have found are for previous versions I am not sure if I
need to run make policy, and then install. Just to be sure I tried, make
policy worked ok, but make install does not work ...
I guess I am doing something wrong ... could anybody help me with that?
This is the output of make install:
Validating strict file_contexts.
/usr/sbin/setfiles -q -c /etc/selinux/strict/policy/policy.20
file_contexts
libsepol.context_from_record: user rueda is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert rueda:staff_r:staff_t to sid
file_contexts: line 2149 has invalid context
make: *** [/etc/selinux/strict/contexts/files/file_contexts] Error 1
rueda is the user I am trying to create by adding it to the local.users
file. I am also trying to use it as part of the context for a file.
Thanks in advance,
Sandra
9:35 a.m.
New subject: creating a new user
Sandra Julieta Rueda Rodriguez wrote:
Hello,
I just executed the given instructions (semodule -n -r) to fix the problem
with semodule and now everything is working ok. Thanks.
Now I have a different problem ....
I am trying to create a new user. I added it to the file local.users in
the src directory and also to /etc/selinux/strict/users/local.users. I
tried first to modify only the one in src but it did not work, so I also
modified the other one.
Why not use semanage user -a to add SELinux users
or
semanage login -a if you want to map a UID to a SELinux user.
Since I am working based on refpolicy (I already run make
install-src) and
the instructions I have found are for previous versions I am not sure if I
need to run make policy, and then install. Just to be sure I tried, make
policy worked ok, but make install does not work ...
I guess I am doing something wrong ... could anybody help me with that?
This is the output of make install:
Validating strict file_contexts.
/usr/sbin/setfiles -q -c /etc/selinux/strict/policy/policy.20
file_contexts
libsepol.context_from_record: user rueda is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert rueda:staff_r:staff_t to sid
file_contexts: line 2149 has invalid context
make: *** [/etc/selinux/strict/contexts/files/file_contexts] Error 1
rueda is the user I am trying to create by adding it to the local.users
file. I am also trying to use it as part of the context for a file.
Thanks in advance,
Sandra
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
12:44 p.m.
New subject: creating a new user
On Wed, 2006-09-27 at 21:49 -0400, Sandra Julieta Rueda Rodriguez
wrote:
Hello,
I just executed the given instructions (semodule -n -r) to fix the problem
with semodule and now everything is working ok. Thanks.
Now I have a different problem ....
I am trying to create a new user. I added it to the file local.users in
the src directory and also to /etc/selinux/strict/users/local.users. I
tried first to modify only the one in src but it did not work, so I also
modified the other one.
local.users is deprecated in FC5, and only looked at if SETLOCALDEFS=1
in /etc/selinux/config. In FC5 and later, user manipulation is done via
semanage, and makes use of a separate mapping from Linux users to
SELinux user identities (the seusers mapping), so that one can
add/remove/modify Linux users without modifying kernel policy at all.
semanage login manipulates this mapping. semanage user can also be used
to manipulate SELinux user identities, but you generally shouldn't need
to do that - typically you would just have one SELinux user identity per
logical role, and then map Linux users to those SELinux user identities.
Since I am working based on refpolicy (I already run make
install-src) and
the instructions I have found are for previous versions I am not sure if I
need to run make policy, and then install. Just to be sure I tried, make
policy worked ok, but make install does not work ...
Um, you do know that FC5 policy is also based on refpolicy, right? And
that you should be doing a modular policy build even if you are building
from the upstream refpolicy, so that you can continue to use semodule
and semanage?
I guess I am doing something wrong ... could anybody help me with
that?
This is the output of make install:
Validating strict file_contexts.
/usr/sbin/setfiles -q -c /etc/selinux/strict/policy/policy.20
file_contexts
libsepol.context_from_record: user rueda is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert rueda:staff_r:staff_t to sid
file_contexts: line 2149 has invalid context
make: *** [/etc/selinux/strict/contexts/files/file_contexts] Error 1
rueda is the user I am trying to create by adding it to the local.users
file. I am also trying to use it as part of the context for a file.
--
Stephen Smalley
National Security Agency
2:51 p.m.
New subject: creating a new user
Hi,
>
> I am trying to create a new user. I added it to the file local.users in
> the src directory and also to /etc/selinux/strict/users/local.users. I
> tried first to modify only the one in src but it did not work, so I also
> modified the other one.
local.users is deprecated in FC5, and only looked at if SETLOCALDEFS=1
in /etc/selinux/config. In FC5 and later, user manipulation is done via
semanage, and makes use of a separate mapping from Linux users to
SELinux user identities (the seusers mapping), so that one can
add/remove/modify Linux users without modifying kernel policy at all.
semanage login manipulates this mapping. semanage user can also be used
to manipulate SELinux user identities, but you generally shouldn't need
to do that - typically you would just have one SELinux user identity per
logical role, and then map Linux users to those SELinux user identities.
That was
my next question. I wanted to know if local.users did not work at
all fro FC5. Now I have your answer.
Um, you do know that FC5 policy is also based on refpolicy, right? And
that you should be doing a modular policy build even if you are building
from the upstream refpolicy, so that you can continue to use semodule
and semanage?
yes, you were talking about it two weeks ago. But I did not know
that
there are things that do not work in the old way anymore.
I was wondering if there is a place (a guide or a book) where I can find
updated information. I am learning and it is kind of frustating to try to
set up policies and then realize that the main problem is that one is
working based on old instructions, and those are not always valid
(although some of them are valid some times). When I look for info in
internet most of the time I find instructions related to the old ways to
work with selinux.
Thank a lot,
Sandra
--
Stephen Smalley
National Security Agency
8:03 a.m.
New subject: creating a new user
On Sun, 2006-10-01 at 15:51 -0400, Sandra Julieta Rueda Rodriguez wrote:
I was wondering if there is a place (a guide or a book) where I can
find
updated information. I am learning and it is kind of frustating to try to
set up policies and then realize that the main problem is that one is
working based on old instructions, and those are not always valid
(although some of them are valid some times). When I look for info in
internet most of the time I find instructions related to the old ways to
work with selinux.
Of the available information resources (
http://selinux.sourceforge.net/resources.php3
), the ones that are more likely to be current include:
- The Fedora Core 5 SELinux FAQ:
http://fedora.redhat.com/docs/selinux-faq-fc5/
- The Fedora Project wiki SELinux page:
http://fedoraproject.org/wiki/SELinux/
- The recently published SELinux by Example book:
http://www.phptr.com/bookstore/product.asp?isbn=0131963694&rl=1
--
Stephen Smalley
National Security Agency
6409
days inactive
6414
days old
selinux@lists.fedoraproject.org
6 comments
3 participants
participants (3)
-
Daniel J Walsh -
Sandra Rueda -
Stephen Smalley