MLS/MCS disabled in building a policy module

KaiGai Kohei kaigai at kaigai.gr.jp
Thu Aug 9 10:32:45 UTC 2007 

I want you to see the following console log:

[root at masu ~]# cd /usr/share/selinux/devel
[root at masu devel]# make -f ./Makefile NAME=targeted
Compiling targeted example module
/usr/bin/checkmodule:  loading policy configuration from tmp/example.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 6) to tmp/example.mod
Creating targeted example.pp policy package
rm tmp/example.mod tmp/example.mod.fc
[root at masu devel]# /usr/sbin/semodule -i example.pp
libsepol.link_modules: Tried to link in a non-MLS module with an MLS base.
libsemanage.semanage_link_sandbox: Link packages failed
/usr/sbin/semodule:  Failed!
[root at masu devel]#

When we try to build a policy package without specific TYPE
parameter, $(NAME)${MCSFLAG} is set as a default value in the
/usr/share/selinux/devel/Makefile .

$(NAME) is typically one of "targeted", "strict" or "mls", and
$(MCSFLAG) is "-mls" or "-mcs".
Therefore, "targeted-mcs" will be used when we omit TYPE parameter
for example.

In the next stage, /usr/share/selinux/devel/include/Makefile checks
TYPE parameter whether MLS/MCS should be enabled, or not.
But the above default value is not suitable for the following conditional
statement.
-------------------------------------
# enable MLS if requested.
ifeq "$(TYPE)" "mls"
        M4PARAM += -D enable_mls
        CHECKPOLICY += -M
        CHECKMODULE += -M
endif

# enable MLS if MCS requested.
ifeq "$(TYPE)" "mcs"
        M4PARAM += -D enable_mcs
        CHECKPOLICY += -M
        CHECKMODULE += -M
endif
-------------------------------------

The origin of the problem is that unexpected TYPE will be generated
when we omit it.
The following patch will fixes the problem.

--- Makefile.devel.orig 2007-08-09 16:25:45.000000000 +0900
+++ Makefile.devel      2007-08-09 16:26:08.000000000 +0900
@@ -10,15 +10,15 @@
 endif

 ifeq ($(MLSENABLED),1)
-       MCSFLAG=-mcs
+       MCSFLAG=mcs
 endif

 ifeq ($(NAME), mls)
        NAME = strict
-       MCSFLAG = -mls
+       MCSFLAG=mls
 endif

-TYPE ?= $(NAME)${MCSFLAG}
+TYPE ?= $(MCSFLAG)
 HEADERDIR := $(SHAREDIR)/devel/include
 include $(HEADERDIR)/Makefile

-- 
KaiGai Kohei <kaigai at kaigai.gr.jp>

More information about the fedora-selinux-list mailing list