When I built a policy module with the latest selinux-policy-devel (3.0.5-1), the Makefile didn't enable the MLS/MCS switch.
We had to add "TYPE=mcs" option to avoid the problem.
---------------- [kaigai@masu policy]$ make NAME=targted -f /usr/share/selinux/devel/Makefile Compiling targted sepostgresql module /usr/bin/checkmodule: loading policy configuration from tmp/sepostgresql.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 6) to tmp/sepostgresql.mod Creating targted sepostgresql.pp policy package rm tmp/sepostgresql.mod.fc tmp/sepostgresql.mod [kaigai@masu policy]$ su Password: [root@masu policy]# /usr/sbin/semodule -i sepostgresql.pp libsepol.link_modules: Tried to link in a non-MLS module with an MLS base. libsemanage.semanage_link_sandbox: Link packages failed /usr/sbin/semodule: Failed! [root@masu policy]# ----------------
I found the following differences between 3.0.4-1 and 3.0.5-1. ---------------- # enable MLS if requested. -ifneq ($(findstring -mls,$(TYPE)),) +ifeq "$(TYPE)" "mls" M4PARAM += -D enable_mls CHECKPOLICY += -M CHECKMODULE += -M endif
# enable MLS if MCS requested. -ifneq ($(findstring -mcs,$(TYPE)),) +ifeq "$(TYPE)" "mcs" M4PARAM += -D enable_mcs CHECKPOLICY += -M CHECKMODULE += -M ----------------
Because $(TYPE) is set as "$(NAME)${MCSFLAG}" in /usr/share/selinux/devel/Makefile, the above blocks are skipped, then MLS/MCS is disabled.
I think the above blocks should be reverted.
I want you to see the following console log:
[root@masu ~]# cd /usr/share/selinux/devel [root@masu devel]# make -f ./Makefile NAME=targeted Compiling targeted example module /usr/bin/checkmodule: loading policy configuration from tmp/example.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 6) to tmp/example.mod Creating targeted example.pp policy package rm tmp/example.mod tmp/example.mod.fc [root@masu devel]# /usr/sbin/semodule -i example.pp libsepol.link_modules: Tried to link in a non-MLS module with an MLS base. libsemanage.semanage_link_sandbox: Link packages failed /usr/sbin/semodule: Failed! [root@masu devel]#
When we try to build a policy package without specific TYPE parameter, $(NAME)${MCSFLAG} is set as a default value in the /usr/share/selinux/devel/Makefile .
$(NAME) is typically one of "targeted", "strict" or "mls", and $(MCSFLAG) is "-mls" or "-mcs". Therefore, "targeted-mcs" will be used when we omit TYPE parameter for example.
In the next stage, /usr/share/selinux/devel/include/Makefile checks TYPE parameter whether MLS/MCS should be enabled, or not. But the above default value is not suitable for the following conditional statement. ------------------------------------- # enable MLS if requested. ifeq "$(TYPE)" "mls" M4PARAM += -D enable_mls CHECKPOLICY += -M CHECKMODULE += -M endif
# enable MLS if MCS requested. ifeq "$(TYPE)" "mcs" M4PARAM += -D enable_mcs CHECKPOLICY += -M CHECKMODULE += -M endif -------------------------------------
The origin of the problem is that unexpected TYPE will be generated when we omit it. The following patch will fixes the problem.
--- Makefile.devel.orig 2007-08-09 16:25:45.000000000 +0900 +++ Makefile.devel 2007-08-09 16:26:08.000000000 +0900 @@ -10,15 +10,15 @@ endif
ifeq ($(MLSENABLED),1) - MCSFLAG=-mcs + MCSFLAG=mcs endif
ifeq ($(NAME), mls) NAME = strict - MCSFLAG = -mls + MCSFLAG=mls endif
-TYPE ?= $(NAME)${MCSFLAG} +TYPE ?= $(MCSFLAG) HEADERDIR := $(SHAREDIR)/devel/include include $(HEADERDIR)/Makefile
selinux@lists.fedoraproject.org