MLS/MCS disabled in building a policy module

KaiGai Kohei kaigai at ak.jp.nec.com
Tue Aug 7 03:56:59 UTC 2007


When I built a policy module with the latest selinux-policy-devel (3.0.5-1),
the Makefile didn't enable the MLS/MCS switch.

We had to add "TYPE=mcs" option to avoid the problem.

----------------
[kaigai at masu policy]$ make NAME=targted -f /usr/share/selinux/devel/Makefile
Compiling targted sepostgresql module
/usr/bin/checkmodule:  loading policy configuration from tmp/sepostgresql.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 6) to tmp/sepostgresql.mod
Creating targted sepostgresql.pp policy package
rm tmp/sepostgresql.mod.fc tmp/sepostgresql.mod
[kaigai at masu policy]$ su
Password:
[root at masu policy]# /usr/sbin/semodule -i sepostgresql.pp
libsepol.link_modules: Tried to link in a non-MLS module with an MLS base.
libsemanage.semanage_link_sandbox: Link packages failed
/usr/sbin/semodule:  Failed!
[root at masu policy]#
----------------

I found the following differences between 3.0.4-1 and 3.0.5-1.
----------------
 # enable MLS if requested.
-ifneq ($(findstring -mls,$(TYPE)),)
+ifeq "$(TYPE)" "mls"
        M4PARAM += -D enable_mls
        CHECKPOLICY += -M
        CHECKMODULE += -M
 endif

 # enable MLS if MCS requested.
-ifneq ($(findstring -mcs,$(TYPE)),)
+ifeq "$(TYPE)" "mcs"
        M4PARAM += -D enable_mcs
        CHECKPOLICY += -M
        CHECKMODULE += -M
----------------

Because $(TYPE) is set as "$(NAME)${MCSFLAG}" in /usr/share/selinux/devel/Makefile,
the above blocks are skipped, then MLS/MCS is disabled.

I think the above blocks should be reverted.
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai at ak.jp.nec.com>




More information about the fedora-selinux-list mailing list