[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: MLS/MCS disabled in building a policy module

From: KaiGai Kohei <kaigai kaigai gr jp>
To: Daniel J Walsh <dwalsh redhat com>
Cc: fedora-selinux-list redhat com
Subject: Re: MLS/MCS disabled in building a policy module
Date: Thu, 09 Aug 2007 19:32:45 +0900

I want you to see the following console log:

[root masu ~]# cd /usr/share/selinux/devel
[root masu devel]# make -f ./Makefile NAME=targeted
Compiling targeted example module
/usr/bin/checkmodule:  loading policy configuration from tmp/example.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 6) to tmp/example.mod
Creating targeted example.pp policy package
rm tmp/example.mod tmp/example.mod.fc
[root masu devel]# /usr/sbin/semodule -i example.pp
libsepol.link_modules: Tried to link in a non-MLS module with an MLS base.
libsemanage.semanage_link_sandbox: Link packages failed
/usr/sbin/semodule:  Failed!
[root masu devel]#

When we try to build a policy package without specific TYPE
parameter, $(NAME)${MCSFLAG} is set as a default value in the
/usr/share/selinux/devel/Makefile .

$(NAME) is typically one of "targeted", "strict" or "mls", and
$(MCSFLAG) is "-mls" or "-mcs".
Therefore, "targeted-mcs" will be used when we omit TYPE parameter
for example.

In the next stage, /usr/share/selinux/devel/include/Makefile checks
TYPE parameter whether MLS/MCS should be enabled, or not.
But the above default value is not suitable for the following conditional
statement.
-------------------------------------
# enable MLS if requested.
ifeq "$(TYPE)" "mls"
        M4PARAM += -D enable_mls
        CHECKPOLICY += -M
        CHECKMODULE += -M
endif

# enable MLS if MCS requested.
ifeq "$(TYPE)" "mcs"
        M4PARAM += -D enable_mcs
        CHECKPOLICY += -M
        CHECKMODULE += -M
endif
-------------------------------------

The origin of the problem is that unexpected TYPE will be generated
when we omit it.
The following patch will fixes the problem.

--- Makefile.devel.orig 2007-08-09 16:25:45.000000000 +0900
+++ Makefile.devel      2007-08-09 16:26:08.000000000 +0900
@@ -10,15 +10,15 @@
 endif

 ifeq ($(MLSENABLED),1)
-       MCSFLAG=-mcs
+       MCSFLAG=mcs
 endif

 ifeq ($(NAME), mls)
        NAME = strict
-       MCSFLAG = -mls
+       MCSFLAG=mls
 endif

-TYPE ?= $(NAME)${MCSFLAG}
+TYPE ?= $(MCSFLAG)
 HEADERDIR := $(SHAREDIR)/devel/include
 include $(HEADERDIR)/Makefile

-- 
KaiGai Kohei <kaigai kaigai gr jp>

References:
- MLS/MCS disabled in building a policy module
  - From: KaiGai Kohei

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]