On Wed, 2006-09-27 at 11:33 -0400, Sandra Julieta Rueda Rodriguez wrote:
Hello,
I was playing with semodule (trying to understand how it works) so I added a module. Later I also played with refpolicy and monolithic building (again trying to understand how it works).
Now I want to delete the module I loaded before and this is the message I am getting from the system:
# semodule -v -r KnockServer Attempting to remove module 'KnockServer': Ok: return value of 0. Committing changes: /usr/sbin/load_policy: Can't load policy: Invalid argument libsemanage.semanage_reload_policy: load_policy returned error code 2. /usr/sbin/load_policy: Can't load policy: Invalid argument libsemanage.semanage_reload_policy: load_policy returned error code 2. semodule: Failed!
semodule -l works fine (apparently) and one of the items in the list is KnockServer and its version. Is there any way to know why semodule -r is failing? What argument is invalid?
This typically means that the kernel rejected the policy, look for messages in /var/log/messages. This can happen e.g. if you load a policy that defines newer classes and permissions and later try to load a policy that lacks those definitions, which would happen if you tried loading a newer upstream policy and are now trying to revert to a stock FC5 policy. The kernel has an overly conservative check at present that no class or permission definitions can go away after initial policy load; the actual requirement is just that no class or permission definition on which the kernel relies should go away.
To recover, do something like: # Remove the module, rebuild policy, but don't try to load it yet. semodule -n -r KnockServer
Then reboot with the updated policy.
I have other questions about modules: what is the relationship between the modules and the binary policy file installed at /etc/selinux/(strict|targeted)/policy? Does this file include just base modules? If so, where are the files for non-base modules stored? Is it another binary file?
The kernel binary policy file is generated from all of the kernel policy-related data in the policy module store, including all modules (base and non-base), local boolean settings, and network object contexts. This is done by libsemanage, which is used by semodule, semanage, and setsebool to apply changes to the policy.