From: Ashish Mishra <ashishm@mvista.com>
To: Richard Haines <richard_c_haines@btinternet.com>
Cc: selinux-refpolicy@vger.kernel.org,
Paul Moore <paul@paul-moore.com>,
SElinux list <selinux@vger.kernel.org>
Subject: Re: How is policy.31 created from modules under /usr/share/selinux
Date: Sun, 6 Dec 2020 22:00:59 +0530 [thread overview]
Message-ID: <CAP2OjciTWXRsYWw9VtOJGUOGj9B35HMXBHF94O6Qc=csg5=Spw@mail.gmail.com> (raw)
In-Reply-To: <858c9383f7c75e1e39bafaeab6388cd6af902c4f.camel@btinternet.com>
Hi Richard ,
Thanks for replying back.
1) The policy.31 binary is not getting created at:
/etc/selinux/refpolicy/policy/policy.31
2) Using the verbose of makefile I can see that the semodule command
is reached .
But even in verbose mode , I can't see any action / command message
shown for policy.31 being created.
Hence I am trying to understand how the final policy.31 file is
being created .
3) Below are the files being created under /etc/selinux :
refpolicy/contexts:
customizable_types default_type initrc_context
removable_context userhelper_context virtual_image_context
dbus_contexts failsafe_context lxc_contexts
securetty_types users x_contexts
default_contexts files openrc_contexts
sepgsql_contexts virtual_domain_context
refpolicy/policy:
refpolicy/src:
policy
4) Below are the files being created under /usr/share/selinux/refpolicy/include/
admin apps build.conf global_tunables.xml
kernel.xml roles services support system.xml
admin.xml apps.xml global_booleans.xml kernel
Makefile roles.xml services.xml system
Any pointer of probable aspect which can cause such error as I am
trying to understand
how policy.31 binary is created from individual modules
Thanks ,
Ashish
On Sun, Dec 6, 2020 at 8:59 PM Richard Haines
<richard_c_haines@btinternet.com> wrote:
>
> On Sun, 2020-12-06 at 00:49 +0530, Ashish Mishra wrote:
> > Hi All ,
> >
> > Good Morning .
> >
> > I am following the SELINUX NOTEBOOK & trying the same at my end .
> >
> > - The refpolicy modules are copied at /usr/share/selinux/refpolicy
> > i can see around 400+ modules there .
> > But can senior member' s please help me understand how is the
> > /etc/selinux/refpolicy/policy/policy.31 created using the modules
> > available at
> > /usr/share/selinux
> > The command i followed :
> > $ make install-src
> > $ make conf
> > $ make load ( tried even $ make install )
> > $ make install-headers
> >
>
> Just to be clear (as you didn't state whether the binary policy file
> was built at all), if you run these commands:
>
> mkdir refpol
> cd refpol
> git clone https://github.com/SELinuxProject/refpolicy.git
> Edit build.conf file to requirements (e.g. NAME = refpolicy etc.)
> make install-src
> cd /etc/selinux/refpolicy/src/policy
> make conf
> make load
> make install-headers
>
> The policy binary file should now be created at:
> /etc/selinux/refpolicy/policy/policy.31 (or .32 if Fedora 33)
> True ??
>
> To add a new module (that will rebuild the binary policy file) you can
> install the new *.te *.if and *.fc files in a directory and run from
> that directory (you will need to ensure /etc/selinux/config has
> SELINUXTYPE=refpolicy set):
>
> make -f /usr/share/selinux/refpolicy/include/Makefile load
>
> This Makefile basically reads the build.conf file, uses checkmodule to
> build the *.pp file, then semodule to add to store and build the binary
> policy (also using the prebuilt /usr/share/selinux/refpolicy/*.pp
> files).
>
> I've just tried this on Fedora 33 with no problems.
>
> Note: While running through example this I noticed an error in the
> Notebook - the Reference policy does not have a contibute section, I'll
> send patch to remove:
>
> Add the contibuted modules (policy/modules/contrib)
> git submodule init
> git submodule update
>
> >
> > - This can help me to debug an issue where i am trying to get selinux
> > of my custom
> > distro where all the make command are successfully executed but
> > the policy.31
> > is not getting created
> >
> > - I can even see the "include" folder also getting created for make
> > install-headers
> >
> > Any pointers will be helpful or please let me know if i am missing
> > any
> > aspect here .
> >
> > Thanks ,
> > Ashish.
>
>
next prev parent reply other threads:[~2020-12-06 16:31 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-05 19:19 How is policy.31 created from modules under /usr/share/selinux Ashish Mishra
2020-12-06 15:29 ` Richard Haines
2020-12-06 16:30 ` Ashish Mishra [this message]
2020-12-06 17:15 ` Richard Haines
2020-12-07 1:21 ` Ashish Mishra
2020-12-07 12:39 ` Richard Haines
2020-12-07 13:26 ` Ashish Mishra
2020-12-08 15:36 ` Chris PeBenito
2020-12-08 15:58 ` Ashish Mishra
2020-12-09 9:53 ` Richard Haines
2020-12-09 14:12 ` Ashish Mishra
2020-12-09 14:37 ` Richard Haines
2020-12-09 15:07 ` Steve Lawrence
2020-12-09 16:13 ` Richard Haines
2020-12-09 22:02 ` Chris PeBenito
2020-12-13 17:06 ` Ashish Mishra
2020-12-14 15:16 ` Chris PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAP2OjciTWXRsYWw9VtOJGUOGj9B35HMXBHF94O6Qc=csg5=Spw@mail.gmail.com' \
--to=ashishm@mvista.com \
--cc=paul@paul-moore.com \
--cc=richard_c_haines@btinternet.com \
--cc=selinux-refpolicy@vger.kernel.org \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).