| Main Archive Page > Month Archives > selinux archives |
Re: libsemanage.semanage_install_active: error during semodule -n -v -b base.pp -s refpolicy
From: Joshua Brindle <method_at_nospam>Date: Fri Jun 13 2008 - 15:23:38 GMT
To: Vikram Ambrose <Vikram.Ambrose@windriver.com>
Vikram Ambrose wrote:
> Stephen Smalley wrote:
>> On Thu, 2008-06-12 at 14:51 -0400, Vikram Ambrose wrote:
>>
>>> Stephen Smalley wrote:
>>>
>>>> On Thu, 2008-06-12 at 13:57 -0400, Vikram Ambrose wrote:
>>>>
>>>>> Stephen Smalley wrote:
>>>>>
>>>>>> On Thu, 2008-06-12 at 13:35 -0400, Vikram Ambrose wrote:
>>>>>>
>>>>>>> Stephen Smalley wrote:
>>>>>>>
>>>>>>>> On Thu, 2008-06-12 at 10:43 -0400, Vikram Ambrose wrote:
>>>>>>>>
>>>>>>>>> During the "make load" procedure with refpolicy, the semodule
>>>>>>>>> command fails, so I tried it manually and I see this error.
>>>>>>>>>
>>>>>>>>> root@ubuntu:/home/vikram/refpolicy-ac# semodule -b
>>>>>>>>> /usr/share/selinux/refpolicy/base.pp -s refpolicy -v -n
>>>>>>>>> Attempting to install base module
>>>>>>>>> '/usr/share/selinux/refpolicy/base.pp':
>>>>>>>>> Ok: return value of 0.
>>>>>>>>> Committing changes:
>>>>>>>>> libsemanage.semanage_install_active: setfiles returned error
>>>>>>>>> code 1. (No such file or directory).
>>>>>>>>>
>>>>>>>> whereis setfiles
>>>>>>>>
>>>>>>>>
>>>>>>> setfiles and the rest of the SELinux "toolchain" was all built
>>>>>>> from svn and placed into /hone/testing/root
>>>>>>> root's environment has PATH that contains /home/testing/root/bin
>>>>>>> as well as LD_LIBRARY_PATH to /home/testing/root/lib
>>>>>>>
>>>>>>> Does libsemanage have a hard coded path to setfiles?
>>>>>>>
>>>>>> Yes, although it can be overridden via /etc/selinux/semanage.conf.
>>>>>> Add something like:
>>>>>> [setfiles]
>>>>>> path = /path/to/setfiles
>>>>>> [end]
>>>>>>
>>>>>>
>>>>> I just noticed the hard coded path in conf-parser.y
>>>>> Is there a way of doing the above with a generic rule to all of the
>>>>> selinux toolchain and not specifically to "setfiles" as shown above?
>>>>>
>>>> Not presently; it wasn't really intended for an alternate root
>>>> mechanism
>>>> (and apparently doesn't work for it anyway, as you have found).
>>>>
>>>>
>>> And specifying each and every tool individual is not possible i suppose?
>>>
>>
>> There are only two helpers that are executed by default, setfiles and
>> load_policy, and you can specify them both, using the same syntax but
>> different section keyword.
>>
>>
>>>>> ...
>>>>> Adding that to semanage.conf produce an almost obvious error "
>>>>> error while loading shared libraries: libsepol.so.0: cannot open
>>>>> shared object file: No such file or directory"
>>>>>
>>>>> what sort of environment is libsemanage using to execute setfiles?
>>>>> libsepol and friends are in LD_LIBRARY_PATH
>>>>>
>>>> Ah, semanage_exec_prog() passes a NULL environ to execve().
>>>>
>>>>
>>> Can this be rectified?
>>>
>>
>> Even if we changed the code, the policy normally won't allow passing of
>> LD_LIBRARY_PATH and the like across a domain transition (noatsecure
>> permission to disable setting of AT_SECURE auxv flag), and setfiles and
>> load_policy typically run in their own domains. Although you can
>> certainly customize policy and the code for your particular needs.
>>
>>
>>>> I think this takes us to the "run it in a chroot environment" scenario
>>>> if you don't want to install the libraries and programs to your system
>>>> directories. I'm not entirely sure what your goal is here though - you
>>>> seem ok with installing the policy files to system directories.
>>>>
>>> Your last remark there is rather confusing to me. You seem to suggest
>>> that "installing the policy files to system directories" is an option
>>> I have been given, and as such chosen to do so. To my knowledge the
>>> entire toolchain is hard coded to /etc/selinux and as such not
>>> possible to provide a /different/syconfig/path. How is it that I go
>>> about installing selinux and its configuration to a non "system
>>> directory", yet "system wide" path such as /security or /selinux or
>>> /seconfig etc..?
>>>
>>
>> Well, yes, that's true. Running it chroot'd is the only way right now
>> to do that. Which would also resolve your problem with setfiles.
>>
>> The other approach would be to change libselinux to support an alternate
>> root setting via some mechanism, but we have to be careful to not give
>> undue influence to callers where it isn't warranted, of course.
>>
>>
> I added extern char **environ, and passed in environ to execve, i also
> added some printfs to see what was being passed into setfiles...
>
> root@ubuntu:/home/vikram/refpolicy-ac# semodule -b
> /usr/share/selinux/refpolicy/base.pp -s refpolicy -v
> Attempting to install base module '/usr/share/selinux/refpolicy/base.pp':
> Ok: return value of 0.
> Committing changes:
> e->path=/home/vikram/root/bin/setfiles
> arg[0] = /home/vikram/root/bin/setfiles
> arg[1] = (null)
> usage: /home/vikram/root/bin/setfiles [-dnpqvW] [-o filename] [-r
> alt_root_path ] spec_file pathname...
> usage: /home/vikram/root/bin/setfiles -c policyfile spec_file
> usage: /home/vikram/root/bin/setfiles -s [-dnqvW] [-o filename ] spec_file
> libsemanage.semanage_install_active: setfiles returned error code 1.
>
> Why is setfiles being passed no arguments?
>
you need to add:
args = -q -c $@ $<
to the setfiles block in semanage.conf -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.