Using checkmodule to build "old module versions"

All of lore.kernel.org
 help / color / mirror / Atom feed

* Using checkmodule to build "old module versions"
@ 2010-07-14  2:17 Jason Axelson
  2010-07-14 12:34 ` Joshua Brindle
  0 siblings, 1 reply; 3+ messages in thread
From: Jason Axelson @ 2010-07-14  2:17 UTC (permalink / raw)
  To: selinux

Hi,

I may be misunderstanding things but I think that a "new" version of
checkmodule is able to create policy versions other than "latest". I
know that checkpolicy accepts the -c option to create binary policies
of older versions. Is there any equivalent for checkmodule?

My version of checkmodule (2.0.21 I believe) when run with -V reports
that it supports "Module versions 4-10", however I do not see any
flags to change the compiled module policy version.

When I then try to load the compiled module on CentOS 5.4 with
"semodule -i A.pp" it responds with:

libsepol.policydb_read: policydb module version 10 does not match my
version range 4-6
libsepol.sepol_module_package_read: invalid module in module package
(at section 0)
libsemanage.semanage_load_module: Error while reading from module file
/etc/selinux/clip/modules/tmp/modules/A.pp.
semodule:  Failed!

So it looks like checkmodule should be able to build policy version 6
which is supported by semodule on the CentOS 5.4 side.

Am I misunderstanding something?

My setup is using Arch Linux as the development machine so I know it
isn't really "supported" per se.

Thanks,
Jason

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Using checkmodule to build "old module versions"
  2010-07-14  2:17 Using checkmodule to build "old module versions" Jason Axelson
@ 2010-07-14 12:34 ` Joshua Brindle
  2010-07-14 19:21   ` Jason Axelson
  0 siblings, 1 reply; 3+ messages in thread
From: Joshua Brindle @ 2010-07-14 12:34 UTC (permalink / raw)
  To: Jason Axelson; +Cc: selinux

Jason Axelson wrote:
> Hi,
>
> I may be misunderstanding things but I think that a "new" version of
> checkmodule is able to create policy versions other than "latest". I
> know that checkpolicy accepts the -c option to create binary policies
> of older versions. Is there any equivalent for checkmodule?
>
> My version of checkmodule (2.0.21 I believe) when run with -V reports
> that it supports "Module versions 4-10", however I do not see any
> flags to change the compiled module policy version.
>

The writer is technically capable of writing old versions but we never 
added the option to checkmodule.

There has been little testing around building modules on a different 
toolchain than the target so while it is suppose to work I wouldn't 
really recommend it.

> When I then try to load the compiled module on CentOS 5.4 with
> "semodule -i A.pp" it responds with:
>
> libsepol.policydb_read: policydb module version 10 does not match my
> version range 4-6
> libsepol.sepol_module_package_read: invalid module in module package
> (at section 0)
> libsemanage.semanage_load_module: Error while reading from module file
> /etc/selinux/clip/modules/tmp/modules/A.pp.
> semodule:  Failed!
>
> So it looks like checkmodule should be able to build policy version 6
> which is supported by semodule on the CentOS 5.4 side.
>
> Am I misunderstanding something?
>
> My setup is using Arch Linux as the development machine so I know it
> isn't really "supported" per se.
>
> Thanks,
> Jason


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: Using checkmodule to build "old module versions"
  2010-07-14 12:34 ` Joshua Brindle
@ 2010-07-14 19:21   ` Jason Axelson
  0 siblings, 0 replies; 3+ messages in thread
From: Jason Axelson @ 2010-07-14 19:21 UTC (permalink / raw)
  To: Joshua Brindle; +Cc: selinux

[-- Attachment #1: Type: text/plain, Size: 830 bytes --]

Hi Joshua,

On Wed, Jul 14, 2010 at 2:34 AM, Joshua Brindle <method@manicmethod.com> wrote:
> The writer is technically capable of writing old versions but we never added
> the option to checkmodule.
>
> There has been little testing around building modules on a different
> toolchain than the target so while it is suppose to work I wouldn't really
> recommend it.

Thanks for the explanation. Does anyone know if it is possible to
change the checkmodule man page to make it more clear that you can't
build old versions.

I propose to change:
Show policy versions created by this program

to this:
Show policy versions created by this program. Note that you cannot
currently build older versions.

I have attached a (trivial) patch that should apply against the
current head. Of course there may be better wording.

Thanks,
Jason

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2010-07-14 19:22 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-07-14  2:17 Using checkmodule to build "old module versions" Jason Axelson
2010-07-14 12:34 ` Joshua Brindle
2010-07-14 19:21   ` Jason Axelson

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.