[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fedora-selinux-list
Subject:    MLS/MCS disabled in building a policy module
From:       KaiGai Kohei <kaigai () ak ! jp ! nec ! com>
Date:       2007-08-07 3:56:59
Message-ID: 46B7ED8B.6060506 () ak ! jp ! nec ! com
[Download RAW message or body]

When I built a policy module with the latest selinux-policy-devel (3.0.5-1),
the Makefile didn't enable the MLS/MCS switch.

We had to add "TYPE=mcs" option to avoid the problem.

----------------
[kaigai@masu policy]$ make NAME=targted -f /usr/share/selinux/devel/Makefile
Compiling targted sepostgresql module
/usr/bin/checkmodule:  loading policy configuration from tmp/sepostgresql.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 6) to tmp/sepostgresql.mod
Creating targted sepostgresql.pp policy package
rm tmp/sepostgresql.mod.fc tmp/sepostgresql.mod
[kaigai@masu policy]$ su
Password:
[root@masu policy]# /usr/sbin/semodule -i sepostgresql.pp
libsepol.link_modules: Tried to link in a non-MLS module with an MLS base.
libsemanage.semanage_link_sandbox: Link packages failed
/usr/sbin/semodule:  Failed!
[root@masu policy]#
----------------

I found the following differences between 3.0.4-1 and 3.0.5-1.
----------------
 # enable MLS if requested.
-ifneq ($(findstring -mls,$(TYPE)),)
+ifeq "$(TYPE)" "mls"
        M4PARAM += -D enable_mls
        CHECKPOLICY += -M
        CHECKMODULE += -M
 endif

 # enable MLS if MCS requested.
-ifneq ($(findstring -mcs,$(TYPE)),)
+ifeq "$(TYPE)" "mcs"
        M4PARAM += -D enable_mcs
        CHECKPOLICY += -M
        CHECKMODULE += -M
----------------

Because $(TYPE) is set as "$(NAME)${MCSFLAG}" in /usr/share/selinux/devel/Makefile,
the above blocks are skipped, then MLS/MCS is disabled.

I think the above blocks should be reverted.
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic