When I built a policy module with the latest selinux-policy-devel (3.0.5-1), the Makefile didn't enable the MLS/MCS switch.
We had to add "TYPE=mcs" option to avoid the problem.
---------------- [kaigai@masu policy]$ make NAME=targted -f /usr/share/selinux/devel/Makefile Compiling targted sepostgresql module /usr/bin/checkmodule: loading policy configuration from tmp/sepostgresql.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 6) to tmp/sepostgresql.mod Creating targted sepostgresql.pp policy package rm tmp/sepostgresql.mod.fc tmp/sepostgresql.mod [kaigai@masu policy]$ su Password: [root@masu policy]# /usr/sbin/semodule -i sepostgresql.pp libsepol.link_modules: Tried to link in a non-MLS module with an MLS base. libsemanage.semanage_link_sandbox: Link packages failed /usr/sbin/semodule: Failed! [root@masu policy]# ----------------
I found the following differences between 3.0.4-1 and 3.0.5-1. ---------------- # enable MLS if requested. -ifneq ($(findstring -mls,$(TYPE)),) +ifeq "$(TYPE)" "mls" M4PARAM += -D enable_mls CHECKPOLICY += -M CHECKMODULE += -M endif
# enable MLS if MCS requested. -ifneq ($(findstring -mcs,$(TYPE)),) +ifeq "$(TYPE)" "mcs" M4PARAM += -D enable_mcs CHECKPOLICY += -M CHECKMODULE += -M ----------------
Because $(TYPE) is set as "$(NAME)${MCSFLAG}" in /usr/share/selinux/devel/Makefile, the above blocks are skipped, then MLS/MCS is disabled.
I think the above blocks should be reverted.