Using checkmodule to build "old module versions"

Using checkmodule to build "old module versions"

[Jason Axelson]

Hi,

I may be misunderstanding things but I think that a "new" version of
checkmodule is able to create policy versions other than "latest". I
know that checkpolicy accepts the -c option to create binary policies
of older versions. Is there any equivalent for checkmodule?

My version of checkmodule (2.0.21 I believe) when run with -V reports
that it supports "Module versions 4-10", however I do not see any
flags to change the compiled module policy version.

When I then try to load the compiled module on CentOS 5.4 with
"semodule -i A.pp" it responds with:

libsepol.policydb_read: policydb module version 10 does not match my
version range 4-6
libsepol.sepol_module_package_read: invalid module in module package
(at section 0)
libsemanage.semanage_load_module: Error while reading from module file
/etc/selinux/clip/modules/tmp/modules/A.pp.
semodule:  Failed!

So it looks like checkmodule should be able to build policy version 6
which is supported by semodule on the CentOS 5.4 side.

Am I misunderstanding something?

My setup is using Arch Linux as the development machine so I know it
isn't really "supported" per se.

Thanks,
Jason

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Using checkmodule to build "old module versions"

[Joshua Brindle]

Jason Axelson wrote:
> Hi,
>
> I may be misunderstanding things but I think that a "new" version of
> checkmodule is able to create policy versions other than "latest". I
> know that checkpolicy accepts the -c option to create binary policies
> of older versions. Is there any equivalent for checkmodule?
>
> My version of checkmodule (2.0.21 I believe) when run with -V reports
> that it supports "Module versions 4-10", however I do not see any
> flags to change the compiled module policy version.
>

The writer is technically capable of writing old versions but we never 
added the option to checkmodule.

There has been little testing around building modules on a different 
toolchain than the target so while it is suppose to work I wouldn't 
really recommend it.

> When I then try to load the compiled module on CentOS 5.4 with
> "semodule -i A.pp" it responds with:
>
> libsepol.policydb_read: policydb module version 10 does not match my
> version range 4-6
> libsepol.sepol_module_package_read: invalid module in module package
> (at section 0)
> libsemanage.semanage_load_module: Error while reading from module file
> /etc/selinux/clip/modules/tmp/modules/A.pp.
> semodule:  Failed!
>
> So it looks like checkmodule should be able to build policy version 6
> which is supported by semodule on the CentOS 5.4 side.
>
> Am I misunderstanding something?
>
> My setup is using Arch Linux as the development machine so I know it
> isn't really "supported" per se.
>
> Thanks,
> Jason


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Using checkmodule to build "old module versions"

[Jason Axelson]

[-- Attachment #1: Type: text/plain, Size: 830 bytes --]

Hi Joshua,

On Wed, Jul 14, 2010 at 2:34 AM, Joshua Brindle <method@manicmethod.com> wrote:
> The writer is technically capable of writing old versions but we never added
> the option to checkmodule.
>
> There has been little testing around building modules on a different
> toolchain than the target so while it is suppose to work I wouldn't really
> recommend it.

Thanks for the explanation. Does anyone know if it is possible to
change the checkmodule man page to make it more clear that you can't
build old versions.

I propose to change:
Show policy versions created by this program

to this:
Show policy versions created by this program. Note that you cannot
currently build older versions.

I have attached a (trivial) patch that should apply against the
current head. Of course there may be better wording.

Thanks,
Jason