Re: Using checkmodule to build "old module versions"

[Joshua Brindle <method@manicmethod.com>]

Jason Axelson wrote:
> Hi,
>
> I may be misunderstanding things but I think that a "new" version of
> checkmodule is able to create policy versions other than "latest". I
> know that checkpolicy accepts the -c option to create binary policies
> of older versions. Is there any equivalent for checkmodule?
>
> My version of checkmodule (2.0.21 I believe) when run with -V reports
> that it supports "Module versions 4-10", however I do not see any
> flags to change the compiled module policy version.
>

The writer is technically capable of writing old versions but we never 
added the option to checkmodule.

There has been little testing around building modules on a different 
toolchain than the target so while it is suppose to work I wouldn't 
really recommend it.

> When I then try to load the compiled module on CentOS 5.4 with
> "semodule -i A.pp" it responds with:
>
> libsepol.policydb_read: policydb module version 10 does not match my
> version range 4-6
> libsepol.sepol_module_package_read: invalid module in module package
> (at section 0)
> libsemanage.semanage_load_module: Error while reading from module file
> /etc/selinux/clip/modules/tmp/modules/A.pp.
> semodule:  Failed!
>
> So it looks like checkmodule should be able to build policy version 6
> which is supported by semodule on the CentOS 5.4 side.
>
> Am I misunderstanding something?
>
> My setup is using Arch Linux as the development machine so I know it
> isn't really "supported" per se.
>
> Thanks,
> Jason


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.