question about semodule

Stephen Smalley sds at tycho.nsa.gov
Wed Sep 27 15:58:54 UTC 2006 

On Wed, 2006-09-27 at 11:33 -0400, Sandra Julieta Rueda Rodriguez
wrote: 
> Hello,
> 
> I was playing with semodule (trying to understand how it works) so I added
> a module. Later I also played with refpolicy and monolithic building
> (again trying to understand how it works).
> 
> Now I want to delete the module I loaded before and this is the message I
> am getting from the system:
> 
> # semodule -v -r KnockServer
> Attempting to remove module 'KnockServer':
> Ok: return value of 0.
> Committing changes:
> /usr/sbin/load_policy:  Can't load policy:  Invalid argument
> libsemanage.semanage_reload_policy: load_policy returned error code 2.
> /usr/sbin/load_policy:  Can't load policy:  Invalid argument
> libsemanage.semanage_reload_policy: load_policy returned error code 2.
> semodule:  Failed!
> 
> semodule -l works fine (apparently) and one of the items in the list is
> KnockServer and its version.
> Is there any way to know why semodule -r is failing? What argument is
> invalid?

This typically means that the kernel rejected the policy, look for
messages in /var/log/messages.  This can happen e.g. if you load a
policy that defines newer classes and permissions and later try to load
a policy that lacks those definitions, which would happen if you tried
loading a newer upstream policy and are now trying to revert to a stock
FC5 policy.  The kernel has an overly conservative check at present that
no class or permission definitions can go away after initial policy
load; the actual requirement is just that no class or permission
definition on which the kernel relies should go away.

To recover, do something like: 
	# Remove the module, rebuild policy, but don't try to load it yet.
semodule -n -r KnockServer

Then reboot with the updated policy. 

> I have other questions about modules: what is the relationship between the
> modules and the binary policy file installed at
> /etc/selinux/(strict|targeted)/policy? Does this file include just base
> modules? If so, where are the files for non-base modules stored? Is it
> another binary file?

The kernel binary policy file is generated from all of the kernel
policy-related data in the policy module store, including all modules
(base and non-base), local boolean settings, and network object
contexts.  This is done by libsemanage, which is used by semodule,
semanage, and setsebool to apply changes to the policy.

-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list