thr3ads.net - CentOS - [CentOS] SELinux : semodule_package, magic number does not match [Jan 2011]

If this information is useful, please help other people find it:
Share via:

Philippe Naudin

2011-Jan-17 13:25 UTC

[CentOS] SELinux : semodule_package, magic number does not match

Hello,

I am trying to create a custom policy, but with no succes :

$ cat <<EOF> foo.te
module local 1.0;

require {
        type httpd_sys_script_exec_t;
        type httpd_sys_script_t;
        class lnk_file read;
}

#============= httpd_sys_script_t =============allow httpd_sys_script_t
httpd_sys_script_exec_t:lnk_file read;
EOF

$ checkmodule -M -m -o foo.mod foo.te
checkmodule:  loading policy configuration from foo.te
checkmodule:  policy configuration loaded
checkmodule:  writing binary representation (version 6) to foo.mod

$ semodule_package -o foo.pp -m foo.mod
$ echo $?
0
# So far, so good. But :

$ checkmodule -b foo.pp
checkmodule:  loading policy configuration from foo.pp
libsepol.policydb_read: policydb magic number 0xf97cff8f does not match 
expected magic number 0xf97cff8c or 0xf97cff8d
checkmodule:  error(s) encountered while parsing configuration
# And trying to "semodule -i foo.pp" fails completely.

So here come my questions :

- is there a boolean to allow httpd to execute a script "symlinked" ?
  (scontext=system_u:system_r:httpd_sys_script_t:s0
  tcontext=system_u:object_r:httpd_sys_script_exec_t:s0 tclass=lnk_file)
- can someone reproduce the error described above ?
- any clue on how to fix it ?

(For the curious one : I am fighting svn hooks on a filesystem
mounted "-o noexec".)

Additional infos :
$ rpm -qa 'kernel*' '*selinux*'
kernel-2.6.18-194.26.1.el5
kernel-2.6.18-194.32.1.el5
kernel-devel-2.6.18-194.26.1.el5
kernel-devel-2.6.18-194.32.1.el5
kernel-headers-2.6.18-194.32.1.el5
libselinux-1.33.4-5.5.el5
libselinux-devel-1.33.4-5.5.el5
libselinux-python-1.33.4-5.5.el5
libselinux-utils-1.33.4-5.5.el5
selinux-policy-2.4.6-279.el5_5.2
selinux-policy-devel-2.4.6-279.el5_5.2
selinux-policy-targeted-2.4.6-279.el5_5.2
$ uname -a
Linux despina 2.6.18-194.26.1.el5 #1 SMP Tue Nov 9 12:54:20 EST 2010
x86_64 x86_64 x86_64 GNU/Linux

Thanks,

-- 
Philippe

Daniel J Walsh

2011-Jan-17 19:32 UTC

head link

[CentOS] SELinux : semodule_package, magic number does not match

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/17/2011 08:25 AM, Philippe Naudin wrote:> Hello,
> 
> I am trying to create a custom policy, but with no succes :
> 
> $ cat <<EOF> foo.te
> module local 1.0;
> 
> require {
>         type httpd_sys_script_exec_t;
>         type httpd_sys_script_t;
>         class lnk_file read;
> }
> 
> #============= httpd_sys_script_t =============> allow
httpd_sys_script_t httpd_sys_script_exec_t:lnk_file read;
> EOF
> 
> $ checkmodule -M -m -o foo.mod foo.te
> checkmodule:  loading policy configuration from foo.te
> checkmodule:  policy configuration loaded
> checkmodule:  writing binary representation (version 6) to foo.mod
> 
> $ semodule_package -o foo.pp -m foo.mod
> $ echo $?
> 0
> # So far, so good. But :
> 
> $ checkmodule -b foo.pp
> checkmodule:  loading policy configuration from foo.pp
> libsepol.policydb_read: policydb magic number 0xf97cff8f does not match 
> expected magic number 0xf97cff8c or 0xf97cff8d
> checkmodule:  error(s) encountered while parsing configuration
> # And trying to "semodule -i foo.pp" fails completely.
> Wrong command.

semodule -i foo.pp

Is what you want to execute.

I am not sure what

checkmodule -b foo.pp

will do.
> So here come my questions :
> 
> - is there a boolean to allow httpd to execute a script
"symlinked" ?
>   (scontext=system_u:system_r:httpd_sys_script_t:s0
>   tcontext=system_u:object_r:httpd_sys_script_exec_t:s0 tclass=lnk_file)
> - can someone reproduce the error described above ?
> - any clue on how to fix it ?
> 
> (For the curious one : I am fighting svn hooks on a filesystem
> mounted "-o noexec".)
> 
> Additional infos :
> $ rpm -qa 'kernel*' '*selinux*'
> kernel-2.6.18-194.26.1.el5
> kernel-2.6.18-194.32.1.el5
> kernel-devel-2.6.18-194.26.1.el5
> kernel-devel-2.6.18-194.32.1.el5
> kernel-headers-2.6.18-194.32.1.el5
> libselinux-1.33.4-5.5.el5
> libselinux-devel-1.33.4-5.5.el5
> libselinux-python-1.33.4-5.5.el5
> libselinux-utils-1.33.4-5.5.el5
> selinux-policy-2.4.6-279.el5_5.2
> selinux-policy-devel-2.4.6-279.el5_5.2
> selinux-policy-targeted-2.4.6-279.el5_5.2
> $ uname -a
> Linux despina 2.6.18-194.26.1.el5 #1 SMP Tue Nov 9 12:54:20 EST 2010
> x86_64 x86_64 x86_64 GNU/Linux
> 
> Thanks,
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk00mUYACgkQrlYvE4MpobNtVQCg5M3XXnLm/o3DDyS8n6ex+yUW
1EsAnA66Y0XUPCp4z3pzIdlcyWy3vQgE
=bcpK
-----END PGP SIGNATURE-----

Reasonably Related Threads

Search for more apparently analagous threads

CentOS - Jan 2011 - SELinux : semodule_package, magic number does not match

[CentOS] SELinux : semodule_package, magic number does not match

[CentOS] SELinux : semodule_package, magic number does not match

Reasonably Related Threads