* [refpolicy] Install Directory for Reference Policy? @ 2017-01-17 4:24 Naftuli Kay 2017-01-17 5:05 ` Thomas 2017-01-30 20:55 ` Guido Trentalancia 0 siblings, 2 replies; 15+ messages in thread From: Naftuli Kay @ 2017-01-17 4:24 UTC (permalink / raw) To: refpolicy I'm on Ubuntu 16.04 and I've just compiled the reference policy via: git clone https://github.com/TresysTechnology/refpolicy.git cd refpolicy git submodule init git submodule update git checkout RELEASE_2_20161023 ( cd policy/modules/contrib && git checkout RELEASE_2_20161023 ) make conf make install My build.conf looks like this: TYPE = standard NAME = refpolicy DISTRO = debian UNK_PERMS = deny DIRECT_INITRC = n SYSTEMD = y MONOLITHIC = n UBAC = y CUSTOM_BUILDOPT = MLS_SENS = 16 MLS_CATS = 1024 MCS_CATS = 1024 QUIET = n Pretty normal stuff. Unfortunately, though it properly loads at the time of "make install," it isn't installed into the expected directory by my distro. Apparently, Ubuntu wants the binary files to be located at /etc/selinux/$NAME. The upstream "selinux-policy-default" package installs its dependencies to /etc/selinux/default and its contents can be viewed here: http://pastebin.com/8fXvdFUA Is there a variable I need to set to have the reference policy install itself/copy its files following this pattern to /etc/selinux/refpolicy? ^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] Install Directory for Reference Policy? 2017-01-17 4:24 [refpolicy] Install Directory for Reference Policy? Naftuli Kay @ 2017-01-17 5:05 ` Thomas 2017-01-17 18:09 ` Naftuli Kay 2017-01-30 20:55 ` Guido Trentalancia 1 sibling, 1 reply; 15+ messages in thread From: Thomas @ 2017-01-17 5:05 UTC (permalink / raw) To: refpolicy Did you follow the guide? https://github.com/TresysTechnology/refpolicy/wiki/UseRefpolicy And i think semanage requires the -S switch to operate on a non loaded policy store: -S, --store Select and alternate SELinux store to manage -thomas Am 17. Januar 2017 05:24:40 MEZ schrieb Naftuli Kay via refpolicy <refpolicy@oss.tresys.com>: >I'm on Ubuntu 16.04 and I've just compiled the reference policy via: > >git clone https://github.com/TresysTechnology/refpolicy.git >cd refpolicy >git submodule init >git submodule update >git checkout RELEASE_2_20161023 >( cd policy/modules/contrib && git checkout RELEASE_2_20161023 ) >make conf >make install > >My build.conf looks like this: > >TYPE = standard >NAME = refpolicy >DISTRO = debian >UNK_PERMS = deny >DIRECT_INITRC = n >SYSTEMD = y >MONOLITHIC = n >UBAC = y >CUSTOM_BUILDOPT = >MLS_SENS = 16 >MLS_CATS = 1024 >MCS_CATS = 1024 >QUIET = n > >Pretty normal stuff. > >Unfortunately, though it properly loads at the time of "make install," >it isn't installed into the expected directory by my distro. >Apparently, Ubuntu wants the binary files to be located at >/etc/selinux/$NAME. The upstream "selinux-policy-default" package >installs its dependencies to /etc/selinux/default and its contents can >be viewed here: http://pastebin.com/8fXvdFUA > >Is there a variable I need to set to have the reference policy install >itself/copy its files following this pattern to >/etc/selinux/refpolicy? >_______________________________________________ >refpolicy mailing list >refpolicy at oss.tresys.com >http://oss.tresys.com/mailman/listinfo/refpolicy -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20170117/3333b8d0/attachment.html ^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] Install Directory for Reference Policy? 2017-01-17 5:05 ` Thomas @ 2017-01-17 18:09 ` Naftuli Kay 2017-01-17 18:21 ` Naftuli Kay 0 siblings, 1 reply; 15+ messages in thread From: Naftuli Kay @ 2017-01-17 18:09 UTC (permalink / raw) To: refpolicy I have not, I was unfortunately not aware of it. Following instructions now. Thanks, - Naftuli Kay On Mon, Jan 16, 2017 at 9:05 PM, Thomas <thomas@chaschperli.ch> wrote: > Did you follow the guide? > https://github.com/TresysTechnology/refpolicy/wiki/UseRefpolicy > > And i think semanage requires the -S switch to operate on a non loaded > policy store: > > -S, --store > Select and alternate SELinux store to manage > > -thomas > > Am 17. Januar 2017 05:24:40 MEZ schrieb Naftuli Kay via refpolicy > <refpolicy@oss.tresys.com>: >> >> I'm on Ubuntu 16.04 and I've just compiled the reference policy via: >> >> git clone https://github.com/TresysTechnology/refpolicy.git >> cd refpolicy >> git submodule init >> git submodule update >> git checkout RELEASE_2_20161023 >> ( cd policy/modules/contrib && git checkout RELEASE_2_20161023 ) >> make conf >> make install >> >> My build.conf looks like this: >> >> TYPE = standard >> NAME = refpolicy >> DISTRO = debian >> UNK_PERMS = deny >> DIRECT_INITRC = n >> SYSTEMD = y >> MONOLITHIC = n >> UBAC = y >> CUSTOM_BUILDOPT = >> MLS_SENS = 16 >> MLS_CATS = 1024 >> MCS_CATS = 1024 >> QUIET = n >> >> Pretty normal stuff. >> >> Unfortunately, though it properly loads at the time of "make install," >> it isn't installed into the expected directory by my distro. >> Apparently, Ubuntu wants the binary files to be located at >> /etc/selinux/$NAME. The upstream "selinux-policy-default" package >> installs its dependencies to /etc/selinux/default and its contents can >> be viewed here: http://pastebin.com/8fXvdFUA >> >> Is there a variable I need to set to have the reference policy install >> itself/copy its files following this pattern to >> /etc/selinux/refpolicy? >> ________________________________ >> >> refpolicy mailing list >> refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy ^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] Install Directory for Reference Policy? 2017-01-17 18:09 ` Naftuli Kay @ 2017-01-17 18:21 ` Naftuli Kay 2017-01-17 23:11 ` Guido Trentalancia 0 siblings, 1 reply; 15+ messages in thread From: Naftuli Kay @ 2017-01-17 18:21 UTC (permalink / raw) To: refpolicy I have followed the given instructions and I still don't have my policy installed in the right place: cd /etc/selinux/refpolicy/src/policy make clean make bare make conf make install Compare output of tree -L 2 /etc/selinux/default: http://pastebin.com/vwtbrjfY with output of tree -L 2 /etc/selinux/refpolicy: http://pastebin.com/aDUCEzq0 Thanks, - Naftuli Kay On Tue, Jan 17, 2017 at 10:09 AM, Naftuli Kay <rfkrocktk@gmail.com> wrote: > I have not, I was unfortunately not aware of it. Following instructions now. > Thanks, > - Naftuli Kay > > > On Mon, Jan 16, 2017 at 9:05 PM, Thomas <thomas@chaschperli.ch> wrote: >> Did you follow the guide? >> https://github.com/TresysTechnology/refpolicy/wiki/UseRefpolicy >> >> And i think semanage requires the -S switch to operate on a non loaded >> policy store: >> >> -S, --store >> Select and alternate SELinux store to manage >> >> -thomas >> >> Am 17. Januar 2017 05:24:40 MEZ schrieb Naftuli Kay via refpolicy >> <refpolicy@oss.tresys.com>: >>> >>> I'm on Ubuntu 16.04 and I've just compiled the reference policy via: >>> >>> git clone https://github.com/TresysTechnology/refpolicy.git >>> cd refpolicy >>> git submodule init >>> git submodule update >>> git checkout RELEASE_2_20161023 >>> ( cd policy/modules/contrib && git checkout RELEASE_2_20161023 ) >>> make conf >>> make install >>> >>> My build.conf looks like this: >>> >>> TYPE = standard >>> NAME = refpolicy >>> DISTRO = debian >>> UNK_PERMS = deny >>> DIRECT_INITRC = n >>> SYSTEMD = y >>> MONOLITHIC = n >>> UBAC = y >>> CUSTOM_BUILDOPT = >>> MLS_SENS = 16 >>> MLS_CATS = 1024 >>> MCS_CATS = 1024 >>> QUIET = n >>> >>> Pretty normal stuff. >>> >>> Unfortunately, though it properly loads at the time of "make install," >>> it isn't installed into the expected directory by my distro. >>> Apparently, Ubuntu wants the binary files to be located at >>> /etc/selinux/$NAME. The upstream "selinux-policy-default" package >>> installs its dependencies to /etc/selinux/default and its contents can >>> be viewed here: http://pastebin.com/8fXvdFUA >>> >>> Is there a variable I need to set to have the reference policy install >>> itself/copy its files following this pattern to >>> /etc/selinux/refpolicy? >>> ________________________________ >>> >>> refpolicy mailing list >>> refpolicy at oss.tresys.com >>> http://oss.tresys.com/mailman/listinfo/refpolicy ^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] Install Directory for Reference Policy? 2017-01-17 18:21 ` Naftuli Kay @ 2017-01-17 23:11 ` Guido Trentalancia 2017-01-29 19:14 ` Naftuli Kay 0 siblings, 1 reply; 15+ messages in thread From: Guido Trentalancia @ 2017-01-17 23:11 UTC (permalink / raw) To: refpolicy Hello. If you do "make conf" before "make install" it will override the configuration that you have previously created (including the name of the policy and therefore its location). Try the following sequence from the top-level directory where you have the policy source (for example as checked out from git or extracted from a release): make clean make conf edit build.conf to suit your needs (including the name of the policy, for example "refpolicy") make install-src make policy make install edit /etc/selinux/config to select the new policy make load That is it. The next time you build it, don't issue "make conf" again, it is just to get an initial build configuration file. I hope it helps. Regards, Guido On the 17th of January 2017 19:21:09 CET, Naftuli Kay via refpolicy <refpolicy@oss.tresys.com> wrote: >I have followed the given instructions and I still don't have my >policy installed in the right place: > >cd /etc/selinux/refpolicy/src/policy >make clean >make bare >make conf >make install > >Compare output of tree -L 2 /etc/selinux/default: >http://pastebin.com/vwtbrjfY > >with output of tree -L 2 /etc/selinux/refpolicy: >http://pastebin.com/aDUCEzq0 >Thanks, > - Naftuli Kay > > >On Tue, Jan 17, 2017 at 10:09 AM, Naftuli Kay <rfkrocktk@gmail.com> >wrote: >> I have not, I was unfortunately not aware of it. Following >instructions now. >> Thanks, >> - Naftuli Kay >> >> >> On Mon, Jan 16, 2017 at 9:05 PM, Thomas <thomas@chaschperli.ch> >wrote: >>> Did you follow the guide? >>> https://github.com/TresysTechnology/refpolicy/wiki/UseRefpolicy >>> >>> And i think semanage requires the -S switch to operate on a non >loaded >>> policy store: >>> >>> -S, --store >>> Select and alternate SELinux store to manage >>> >>> -thomas >>> >>> Am 17. Januar 2017 05:24:40 MEZ schrieb Naftuli Kay via refpolicy >>> <refpolicy@oss.tresys.com>: >>>> >>>> I'm on Ubuntu 16.04 and I've just compiled the reference policy >via: >>>> >>>> git clone https://github.com/TresysTechnology/refpolicy.git >>>> cd refpolicy >>>> git submodule init >>>> git submodule update >>>> git checkout RELEASE_2_20161023 >>>> ( cd policy/modules/contrib && git checkout RELEASE_2_20161023 ) >>>> make conf >>>> make install >>>> >>>> My build.conf looks like this: >>>> >>>> TYPE = standard >>>> NAME = refpolicy >>>> DISTRO = debian >>>> UNK_PERMS = deny >>>> DIRECT_INITRC = n >>>> SYSTEMD = y >>>> MONOLITHIC = n >>>> UBAC = y >>>> CUSTOM_BUILDOPT = >>>> MLS_SENS = 16 >>>> MLS_CATS = 1024 >>>> MCS_CATS = 1024 >>>> QUIET = n >>>> >>>> Pretty normal stuff. >>>> >>>> Unfortunately, though it properly loads at the time of "make >install," >>>> it isn't installed into the expected directory by my distro. >>>> Apparently, Ubuntu wants the binary files to be located at >>>> /etc/selinux/$NAME. The upstream "selinux-policy-default" package >>>> installs its dependencies to /etc/selinux/default and its contents >can >>>> be viewed here: http://pastebin.com/8fXvdFUA >>>> >>>> Is there a variable I need to set to have the reference policy >install >>>> itself/copy its files following this pattern to >>>> /etc/selinux/refpolicy? >>>> ________________________________ >>>> >>>> refpolicy mailing list >>>> refpolicy at oss.tresys.com >>>> http://oss.tresys.com/mailman/listinfo/refpolicy >_______________________________________________ >refpolicy mailing list >refpolicy at oss.tresys.com >http://oss.tresys.com/mailman/listinfo/refpolicy ^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] Install Directory for Reference Policy? 2017-01-17 23:11 ` Guido Trentalancia @ 2017-01-29 19:14 ` Naftuli Kay 2017-01-29 20:29 ` Guido Trentalancia 2017-01-29 22:43 ` Guido Trentalancia 0 siblings, 2 replies; 15+ messages in thread From: Naftuli Kay @ 2017-01-29 19:14 UTC (permalink / raw) To: refpolicy Okay, so again to reiterate, I am on elementary Loki, which is Ubuntu 16.04. I have installed all build dependencies and I have cloned the Git repository to a local directory at ~/Documents/Development/refpolicy. I have made sure that both the top-level Git repository (refpolicy) and the refpolicy-contrib submodule are both up to date with latest master from GitHub. Following Guido's guidance, I did the following: cd ~/Documents/Development/refpolicy make clean make conf I then edited build.conf to enable systemd, because that is my init here on 16.04. I did not make any other modifications, the policy name is refpolicy and the type is standard. I then ran: $ sudo make install-src rm -rf /etc/selinux/refpolicy/src/policy.old mv /etc/selinux/refpolicy/src/policy /etc/selinux/refpolicy/src/policy.old mv: cannot stat '/etc/selinux/refpolicy/src/policy': No such file or directory Makefile:551: recipe for target 'install-src' failed make: [install-src] Error 1 (ignored) mkdir -p /etc/selinux/refpolicy/src/policy cp -R . /etc/selinux/refpolicy/src/policy $ sudo make install-src rm -rf /etc/selinux/refpolicy/src/policy.old mv /etc/selinux/refpolicy/src/policy /etc/selinux/refpolicy/src/policy.old mkdir -p /etc/selinux/refpolicy/src/policy cp -R . /etc/selinux/refpolicy/src/policy The first time, as shown, errored, and the second time seemed to work. I then ran: make policy sudo make install It compiled all of the modules and it seems that it installed everything to /usr/share/selinux/refpolicy, rather than /etc/selinux/refpolicy, which it seems is what my distribution expects. I then ran sudo make load It failed with: /usr/sbin/semodule: SELinux policy is not managed or store cannot be accessed. There is a lot of debugging output which I have listed here: https://gist.github.com/naftulikay/3c24fc7a1d63f26c3e401f6ed5a1f8b5 There are multiple files describing the contents of /usr/share/selinux/refpolicy, /etc/selinux/refpolicy, my kernel command line, and more. I'm not sure what I'm doing wrong, but I may setup a 16.04 Vagrant VM project to see if I can iterate on this to know exactly the steps that need to be taken to get things to work. Thanks, - Naftuli Kay On Tue, Jan 17, 2017 at 3:11 PM, Guido Trentalancia via refpolicy <refpolicy@oss.tresys.com> wrote: > Hello. > > If you do "make conf" before "make install" it will override the configuration that you have previously created (including the name of the policy and therefore its location). > > Try the following sequence from the top-level directory where you have the policy source (for example as checked out from git or extracted from a release): > > make clean > make conf > > edit build.conf to suit your needs (including the name of the policy, for example "refpolicy") > > make install-src > make policy > make install > > edit /etc/selinux/config to select the new policy > > make load > > That is it. The next time you build it, don't issue "make conf" again, it is just to get an initial build configuration file. > > I hope it helps. > > Regards, > > Guido > > On the 17th of January 2017 19:21:09 CET, Naftuli Kay via refpolicy <refpolicy@oss.tresys.com> wrote: >>I have followed the given instructions and I still don't have my >>policy installed in the right place: >> >>cd /etc/selinux/refpolicy/src/policy >>make clean >>make bare >>make conf >>make install >> >>Compare output of tree -L 2 /etc/selinux/default: >>http://pastebin.com/vwtbrjfY >> >>with output of tree -L 2 /etc/selinux/refpolicy: >>http://pastebin.com/aDUCEzq0 >>Thanks, >> - Naftuli Kay >> >> >>On Tue, Jan 17, 2017 at 10:09 AM, Naftuli Kay <rfkrocktk@gmail.com> >>wrote: >>> I have not, I was unfortunately not aware of it. Following >>instructions now. >>> Thanks, >>> - Naftuli Kay >>> >>> >>> On Mon, Jan 16, 2017 at 9:05 PM, Thomas <thomas@chaschperli.ch> >>wrote: >>>> Did you follow the guide? >>>> https://github.com/TresysTechnology/refpolicy/wiki/UseRefpolicy >>>> >>>> And i think semanage requires the -S switch to operate on a non >>loaded >>>> policy store: >>>> >>>> -S, --store >>>> Select and alternate SELinux store to manage >>>> >>>> -thomas >>>> >>>> Am 17. Januar 2017 05:24:40 MEZ schrieb Naftuli Kay via refpolicy >>>> <refpolicy@oss.tresys.com>: >>>>> >>>>> I'm on Ubuntu 16.04 and I've just compiled the reference policy >>via: >>>>> >>>>> git clone https://github.com/TresysTechnology/refpolicy.git >>>>> cd refpolicy >>>>> git submodule init >>>>> git submodule update >>>>> git checkout RELEASE_2_20161023 >>>>> ( cd policy/modules/contrib && git checkout RELEASE_2_20161023 ) >>>>> make conf >>>>> make install >>>>> >>>>> My build.conf looks like this: >>>>> >>>>> TYPE = standard >>>>> NAME = refpolicy >>>>> DISTRO = debian >>>>> UNK_PERMS = deny >>>>> DIRECT_INITRC = n >>>>> SYSTEMD = y >>>>> MONOLITHIC = n >>>>> UBAC = y >>>>> CUSTOM_BUILDOPT = >>>>> MLS_SENS = 16 >>>>> MLS_CATS = 1024 >>>>> MCS_CATS = 1024 >>>>> QUIET = n >>>>> >>>>> Pretty normal stuff. >>>>> >>>>> Unfortunately, though it properly loads at the time of "make >>install," >>>>> it isn't installed into the expected directory by my distro. >>>>> Apparently, Ubuntu wants the binary files to be located at >>>>> /etc/selinux/$NAME. The upstream "selinux-policy-default" package >>>>> installs its dependencies to /etc/selinux/default and its contents >>can >>>>> be viewed here: http://pastebin.com/8fXvdFUA >>>>> >>>>> Is there a variable I need to set to have the reference policy >>install >>>>> itself/copy its files following this pattern to >>>>> /etc/selinux/refpolicy? >>>>> ________________________________ >>>>> >>>>> refpolicy mailing list >>>>> refpolicy at oss.tresys.com >>>>> http://oss.tresys.com/mailman/listinfo/refpolicy >>_______________________________________________ >>refpolicy mailing list >>refpolicy at oss.tresys.com >>http://oss.tresys.com/mailman/listinfo/refpolicy > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy ^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] Install Directory for Reference Policy? 2017-01-29 19:14 ` Naftuli Kay @ 2017-01-29 20:29 ` Guido Trentalancia 2017-01-29 20:59 ` Guido Trentalancia 2017-01-29 22:43 ` Guido Trentalancia 1 sibling, 1 reply; 15+ messages in thread From: Guido Trentalancia @ 2017-01-29 20:29 UTC (permalink / raw) To: refpolicy Hello again. First thing, if you meet problems again after trying the following advice, then it is probably a good idea to rename your new policy (the one that you build), so that you can distinguish from the default policy installed from your distribution (otherwise there is no difference other than the timestamp). On Sun, 29/01/2017 at 11.14 -0800, Naftuli Kay wrote: > Okay, so again to reiterate, I am on elementary Loki, which is Ubuntu > 16.04. I have installed all build dependencies and I have cloned the > Git repository to a local directory at > ~/Documents/Development/refpolicy. > > I have made sure that both the top-level Git repository (refpolicy) > and the refpolicy-contrib submodule are both up to date with latest > master from GitHub. > > Following Guido's guidance, I did the following: > > cd ~/Documents/Development/refpolicy > make clean > make conf > > I then edited build.conf to enable systemd, because that is my init > here on 16.04. I did not make any other modifications, the policy > name > is refpolicy and the type is standard. > > I then ran: > > $ sudo make install-src > rm -rf /etc/selinux/refpolicy/src/policy.old > mv /etc/selinux/refpolicy/src/policy > /etc/selinux/refpolicy/src/policy.old > mv: cannot stat '/etc/selinux/refpolicy/src/policy': No such file or > directory > Makefile:551: recipe for target 'install-src' failed > make: [install-src] Error 1 (ignored) > mkdir -p /etc/selinux/refpolicy/src/policy > cp -R . /etc/selinux/refpolicy/src/policy > > $ sudo make install-src > rm -rf /etc/selinux/refpolicy/src/policy.old > mv /etc/selinux/refpolicy/src/policy > /etc/selinux/refpolicy/src/policy.old > mkdir -p /etc/selinux/refpolicy/src/policy > cp -R . /etc/selinux/refpolicy/src/policy > > The first time, as shown, errored, and the second time seemed to > work. That is normal. > I then ran: > > make policy > sudo make install > > It compiled all of the modules and it seems that it installed > everything to /usr/share/selinux/refpolicy, rather than > /etc/selinux/refpolicy, which it seems is what my distribution > expects. > > I then ran > > sudo make load > > It failed with: > > /usr/sbin/semodule: SELinux policy is not managed or store cannot be > accessed. Perhaps, the policy that is currently loaded (from your distribution) uses a different directory to store the policy itself and therefore doesn't let you load the new policy from a different directory... In that case, you can try temporarily disabling SELinux by switching from "enforcing" mode to "permissive" mode, then load the new policy and finally switch back to SELinux "enforcing" mode: # setenforce 0 # sudo make load # setenforce 1 If you are still experiecing problems, try "make load" as root instead of sudo. I hope this helps... Regards, Guido ^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] Install Directory for Reference Policy? 2017-01-29 20:29 ` Guido Trentalancia @ 2017-01-29 20:59 ` Guido Trentalancia 0 siblings, 0 replies; 15+ messages in thread From: Guido Trentalancia @ 2017-01-29 20:59 UTC (permalink / raw) To: refpolicy Consider you also have to relabel the filesystem, ideally after installing and before loading a new policy: # make relabel Of course, this is not related to the error that you reported, but doing so will prevent further problems once you have finally managed to load the new policy... Regards, Guido On Sun, 29/01/2017 at 21.29 +0100, Guido Trentalancia via refpolicy wrote: > Hello again. > > First thing, if you meet problems again after trying the following > advice, then it is probably a good idea to rename your new policy > (the > one that you build), so that you can distinguish from the default > policy installed from your distribution (otherwise there is no > difference other than the timestamp). > > On Sun, 29/01/2017 at 11.14 -0800, Naftuli Kay wrote: > > > > Okay, so again to reiterate, I am on elementary Loki, which is > > Ubuntu > > 16.04. I have installed all build dependencies and I have cloned > > the > > Git repository to a local directory at > > ~/Documents/Development/refpolicy. > > > > I have made sure that both the top-level Git repository (refpolicy) > > and the refpolicy-contrib submodule are both up to date with latest > > master from GitHub. > > > > Following Guido's guidance, I did the following: > > > > cd ~/Documents/Development/refpolicy > > make clean > > make conf > > > > I then edited build.conf to enable systemd, because that is my init > > here on 16.04. I did not make any other modifications, the policy > > name > > is refpolicy and the type is standard. > > > > I then ran: > > > > $ sudo make install-src > > rm -rf /etc/selinux/refpolicy/src/policy.old > > mv /etc/selinux/refpolicy/src/policy > > /etc/selinux/refpolicy/src/policy.old > > mv: cannot stat '/etc/selinux/refpolicy/src/policy': No such file > > or > > directory > > Makefile:551: recipe for target 'install-src' failed > > make: [install-src] Error 1 (ignored) > > mkdir -p /etc/selinux/refpolicy/src/policy > > cp -R . /etc/selinux/refpolicy/src/policy > > > > $ sudo make install-src > > rm -rf /etc/selinux/refpolicy/src/policy.old > > mv /etc/selinux/refpolicy/src/policy > > /etc/selinux/refpolicy/src/policy.old > > mkdir -p /etc/selinux/refpolicy/src/policy > > cp -R . /etc/selinux/refpolicy/src/policy > > > > The first time, as shown, errored, and the second time seemed to > > work. > > That is normal. > > > > > I then ran: > > > > make policy > > sudo make install > > > > It compiled all of the modules and it seems that it installed > > everything to /usr/share/selinux/refpolicy, rather than > > /etc/selinux/refpolicy, which it seems is what my distribution > > expects. > > > > I then ran > > > > sudo make load > > > > It failed with: > > > > /usr/sbin/semodule: SELinux policy is not managed or store cannot > > be > > accessed. > > Perhaps, the policy that is currently loaded (from your distribution) > uses a different directory to store the policy itself and therefore > doesn't let you load the new policy from a different directory... > > In that case, you can try temporarily disabling SELinux by switching > from "enforcing" mode to "permissive" mode, then load the new policy > and finally switch back to SELinux "enforcing" mode: > > # setenforce 0 > # sudo make load > # setenforce 1 > > If you are still experiecing problems, try "make load" as root > instead > of sudo. > > I hope this helps... > > Regards, > > Guido > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- This message contains confidential information intended only for the use of the addressee(s). If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message. ^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] Install Directory for Reference Policy? 2017-01-29 19:14 ` Naftuli Kay 2017-01-29 20:29 ` Guido Trentalancia @ 2017-01-29 22:43 ` Guido Trentalancia 2017-01-30 18:45 ` Naftuli Kay 1 sibling, 1 reply; 15+ messages in thread From: Guido Trentalancia @ 2017-01-29 22:43 UTC (permalink / raw) To: refpolicy On Sun, 29/01/2017 at 11.14 -0800, Naftuli Kay wrote: > Okay, so again to reiterate, I am on elementary Loki, which is Ubuntu > 16.04. I have installed all build dependencies and I have cloned the > Git repository to a local directory at > ~/Documents/Development/refpolicy. > > I have made sure that both the top-level Git repository (refpolicy) > and the refpolicy-contrib submodule are both up to date with latest > master from GitHub. > > Following Guido's guidance, I did the following: > > cd ~/Documents/Development/refpolicy > make clean > make conf > > I then edited build.conf to enable systemd, because that is my init > here on 16.04. I did not make any other modifications, the policy > name > is refpolicy and the type is standard. > > I then ran: > > $ sudo make install-src > rm -rf /etc/selinux/refpolicy/src/policy.old > mv /etc/selinux/refpolicy/src/policy > /etc/selinux/refpolicy/src/policy.old > mv: cannot stat '/etc/selinux/refpolicy/src/policy': No such file or > directory > Makefile:551: recipe for target 'install-src' failed > make: [install-src] Error 1 (ignored) > mkdir -p /etc/selinux/refpolicy/src/policy > cp -R . /etc/selinux/refpolicy/src/policy > > $ sudo make install-src > rm -rf /etc/selinux/refpolicy/src/policy.old > mv /etc/selinux/refpolicy/src/policy > /etc/selinux/refpolicy/src/policy.old > mkdir -p /etc/selinux/refpolicy/src/policy > cp -R . /etc/selinux/refpolicy/src/policy > > The first time, as shown, errored, and the second time seemed to > work. > > I then ran: > > make policy > sudo make install > > It compiled all of the modules and it seems that it installed > everything to /usr/share/selinux/refpolicy, rather than > /etc/selinux/refpolicy, which it seems is what my distribution > expects. > > I then ran > > sudo make load > > It failed with: > > /usr/sbin/semodule: SELinux policy is not managed or store cannot be > accessed. > > There is a lot of debugging output which I have listed here: > https://gist.github.com/naftulikay/3c24fc7a1d63f26c3e401f6ed5a1f8b5 After looking more carefully at the files that have been installed on your system, I realize that you are missing the actual binary policy. It's a file named "policy.29" or "policy.30" and that goes in /etc/selinux/refpolicy. It should be generated during "make policy", but you have not mentioned about errors during that build stage... In the development tree, it is located top- level:?~/Documents/Development/refpolicy/policy.29 or?~/Documents/Development/refpolicy/policy.30 Without more information, I don't know why you are missing that... It should be generated by checkpolicy. Do you have checkpolicy installed ? Try typing "checkpolicy -V". Regards, Guido ^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] Install Directory for Reference Policy? 2017-01-29 22:43 ` Guido Trentalancia @ 2017-01-30 18:45 ` Naftuli Kay 0 siblings, 0 replies; 15+ messages in thread From: Naftuli Kay @ 2017-01-30 18:45 UTC (permalink / raw) To: refpolicy Guido, naftuli at reprisal:~$ checkpolicy -V 29 (compatibility range 29-15) naftuli at reprisal:~$ sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: default Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 30 This is when I have configured the default policy in /etc/selinux/config. This is provided by Ubuntu upstream selinux-policy-default. As noted before, please compare the following: https://gist.github.com/naftulikay/ac03e45ea7c66bd3537e41eac0e3d40f As you have noted, there is no binary policy file installed in the correct directory for refpolicy, and there is for default. If I run a `find . -iname 'policy.*'` in my refpolicy source directory, I find no binary policy files. How should I go about correcting this? Thanks, - Naftuli Kay On Sun, Jan 29, 2017 at 2:43 PM, Guido Trentalancia via refpolicy <refpolicy@oss.tresys.com> wrote: > On Sun, 29/01/2017 at 11.14 -0800, Naftuli Kay wrote: >> Okay, so again to reiterate, I am on elementary Loki, which is Ubuntu >> 16.04. I have installed all build dependencies and I have cloned the >> Git repository to a local directory at >> ~/Documents/Development/refpolicy. >> >> I have made sure that both the top-level Git repository (refpolicy) >> and the refpolicy-contrib submodule are both up to date with latest >> master from GitHub. >> >> Following Guido's guidance, I did the following: >> >> cd ~/Documents/Development/refpolicy >> make clean >> make conf >> >> I then edited build.conf to enable systemd, because that is my init >> here on 16.04. I did not make any other modifications, the policy >> name >> is refpolicy and the type is standard. >> >> I then ran: >> >> $ sudo make install-src >> rm -rf /etc/selinux/refpolicy/src/policy.old >> mv /etc/selinux/refpolicy/src/policy >> /etc/selinux/refpolicy/src/policy.old >> mv: cannot stat '/etc/selinux/refpolicy/src/policy': No such file or >> directory >> Makefile:551: recipe for target 'install-src' failed >> make: [install-src] Error 1 (ignored) >> mkdir -p /etc/selinux/refpolicy/src/policy >> cp -R . /etc/selinux/refpolicy/src/policy >> >> $ sudo make install-src >> rm -rf /etc/selinux/refpolicy/src/policy.old >> mv /etc/selinux/refpolicy/src/policy >> /etc/selinux/refpolicy/src/policy.old >> mkdir -p /etc/selinux/refpolicy/src/policy >> cp -R . /etc/selinux/refpolicy/src/policy >> >> The first time, as shown, errored, and the second time seemed to >> work. >> >> I then ran: >> >> make policy >> sudo make install >> >> It compiled all of the modules and it seems that it installed >> everything to /usr/share/selinux/refpolicy, rather than >> /etc/selinux/refpolicy, which it seems is what my distribution >> expects. >> >> I then ran >> >> sudo make load >> >> It failed with: >> >> /usr/sbin/semodule: SELinux policy is not managed or store cannot be >> accessed. >> >> There is a lot of debugging output which I have listed here: >> https://gist.github.com/naftulikay/3c24fc7a1d63f26c3e401f6ed5a1f8b5 > > After looking more carefully at the files that have been installed on > your system, I realize that you are missing the actual binary policy. > > It's a file named "policy.29" or "policy.30" and that goes in > /etc/selinux/refpolicy. It should be generated during "make policy", > but you have not mentioned about errors during that build stage... > > In the development tree, it is located top- > level: ~/Documents/Development/refpolicy/policy.29 > or ~/Documents/Development/refpolicy/policy.30 > > Without more information, I don't know why you are missing that... > > It should be generated by checkpolicy. Do you have checkpolicy > installed ? Try typing "checkpolicy -V". > > Regards, > > Guido > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy ^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] Install Directory for Reference Policy? 2017-01-17 4:24 [refpolicy] Install Directory for Reference Policy? Naftuli Kay 2017-01-17 5:05 ` Thomas @ 2017-01-30 20:55 ` Guido Trentalancia 2017-01-31 14:19 ` Guido Trentalancia 1 sibling, 1 reply; 15+ messages in thread From: Guido Trentalancia @ 2017-01-30 20:55 UTC (permalink / raw) To: refpolicy Hello again. On Mon, 16/01/2017 at 20.24 -0800, Naftuli Kay via refpolicy wrote: > I'm on Ubuntu 16.04 and I've just compiled the reference policy via: > > git clone https://github.com/TresysTechnology/refpolicy.git > cd refpolicy > git submodule init > git submodule update > git checkout RELEASE_2_20161023 > ( cd policy/modules/contrib && git checkout RELEASE_2_20161023 ) > make conf > make install > > My build.conf looks like this: > > TYPE = standard > NAME = refpolicy > DISTRO = debian > UNK_PERMS = deny > DIRECT_INITRC = n > SYSTEMD = y > MONOLITHIC = n > UBAC = y > CUSTOM_BUILDOPT = > MLS_SENS = 16 > MLS_CATS = 1024 > MCS_CATS = 1024 > QUIET = n > > Pretty normal stuff. > > Unfortunately, though it properly loads at the time of "make > install," > it isn't installed into the expected directory by my distro. You shouldn't worry about the installation directory. The path that is being used should be fine. Part of the policy goes under /etc/selinux and part goes under /usr/share/selinux. > Apparently, Ubuntu wants the binary files to be located at > /etc/selinux/$NAME. The upstream "selinux-policy-default" package > installs its dependencies to /etc/selinux/default and its contents > can > be viewed here: http://pastebin.com/8fXvdFUA > > Is there a variable I need to set to have the reference policy > install > itself/copy its files following this pattern to > /etc/selinux/refpolicy? The problem is that your "make load" build step fails, as far as I remember, and that is why you are not getting the policy.29 file in /etc/selinux/refpolicy. Can you try changing the TYPE of the policy in build.conf from "standard" to "mcs" and perform all the build steps again ? Also, please perform the build steps from the development directory located in your home and not on the installation subdirectory of /etc/selinux/refpolicy. Regards, Guido ^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] Install Directory for Reference Policy? 2017-01-30 20:55 ` Guido Trentalancia @ 2017-01-31 14:19 ` Guido Trentalancia 2017-02-06 3:53 ` Naftuli Kay 0 siblings, 1 reply; 15+ messages in thread From: Guido Trentalancia @ 2017-01-31 14:19 UTC (permalink / raw) To: refpolicy On Mon, 30/01/2017 at 21.55 +0100, Guido Trentalancia via refpolicy wrote: > Hello again. > > On Mon, 16/01/2017 at 20.24 -0800, Naftuli Kay via refpolicy wrote: > > > > I'm on Ubuntu 16.04 and I've just compiled the reference policy > > via: > > > > git clone https://github.com/TresysTechnology/refpolicy.git > > cd refpolicy > > git submodule init > > git submodule update > > git checkout RELEASE_2_20161023 > > ( cd policy/modules/contrib && git checkout RELEASE_2_20161023 ) > > make conf > > make install > > > > My build.conf looks like this: > > > > TYPE = standard > > NAME = refpolicy > > DISTRO = debian > > UNK_PERMS = deny > > DIRECT_INITRC = n > > SYSTEMD = y > > MONOLITHIC = n > > UBAC = y > > CUSTOM_BUILDOPT = > > MLS_SENS = 16 > > MLS_CATS = 1024 > > MCS_CATS = 1024 > > QUIET = n > > > > Pretty normal stuff. > > > > Unfortunately, though it properly loads at the time of "make > > install," > > it isn't installed into the expected directory by my distro. > > You shouldn't worry about the installation directory. The path that > is > being used should be fine. Part of the policy goes under /etc/selinux > and part goes under /usr/share/selinux. > > > > > Apparently, Ubuntu wants the binary files to be located at > > /etc/selinux/$NAME. The upstream "selinux-policy-default" package > > installs its dependencies to /etc/selinux/default and its contents > > can > > be viewed here: http://pastebin.com/8fXvdFUA > > > > Is there a variable I need to set to have the reference policy > > install > > itself/copy its files following this pattern to > > /etc/selinux/refpolicy? > > The problem is that your "make load" build step fails, as far as I > remember, and that is why you are not getting the policy.29 file in > /etc/selinux/refpolicy. > > Can you try changing the TYPE of the policy in build.conf from > "standard" to "mcs" and perform all the build steps again ? > > Also, please perform the build steps from the development directory > located in your home and not on the installation subdirectory of > /etc/selinux/refpolicy. In addition to using "mcs" instead of "standard" as the policy type, you should revert the following patch if you are using the SELinux tools which comes with Ubuntu: commit 1e0561caed7b90469c037a91ff4739dc24a2de54 Author: Guido Trentalancia <guido@trentalancia.net> Date:???Fri Sep 2 12:58:42 2016 +0200 Avoid using deprecated semodule options (-b or --base) during "make load". Signed-off-by: Guido Trentalancia <guido@trentalancia.net> --- Rules.modular | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- refpolicy-git-06082016-orig/Rules.modular 2016-08-06 21:26:43.257773849 +0200 +++ refpolicy-git-06082016/Rules.modular 2016-09-02 12:36:07.214247080 +0200 @@ -55,7 +55,7 @@ load: $(instpkg) $(appfiles) # created by semanage @echo "Loading configured modules." @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath)) - $(verbose) $(SEMODULE) -s $(NAME) -b $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod)) + $(verbose) $(SEMODULE) -s $(NAME) -i $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod)) ######################################## # ^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] Install Directory for Reference Policy? 2017-01-31 14:19 ` Guido Trentalancia @ 2017-02-06 3:53 ` Naftuli Kay 2017-02-07 22:52 ` Guido Trentalancia 0 siblings, 1 reply; 15+ messages in thread From: Naftuli Kay @ 2017-02-06 3:53 UTC (permalink / raw) To: refpolicy I have reverted that and I think that it is finally running as expected, but I'm getting more errors: Can not stat: /etc/selinux/refpolicy/contexts/files/file_contexts.local: No such file or directory libsemanage.sefcontext_compile: sefcontext_compile returned error code 1. Compiling /etc/selinux/refpolicy/contexts/files/file_contexts.local libsemanage.semanage_install_active: Could not copy /etc/selinux/refpolicy/modules/active/file_contexts.homedirs to /etc/selinux/refpolicy/contexts/files/file_contexts.homedirs. (No such file or directory). /usr/sbin/semodule: Failed! Rules.modular:56: recipe for target 'load' failed make: *** [load] Error 1 However, refpolicy is FINALLY loaded: SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: refpolicy Current mode: permissive Mode from config file: permissive Policy MLS status: disabled Policy deny_unknown status: denied Max kernel policy version: 30 Hooray! How can I fix these other build problems? I'm on the latest stable release: 2.20170204. If these are simply Makefile issues, I might patch in to cover the Ubuntu edge-case of semodule -b. Thanks, - Naftuli Kay On Tue, Jan 31, 2017 at 6:19 AM, Guido Trentalancia via refpolicy <refpolicy@oss.tresys.com> wrote: > On Mon, 30/01/2017 at 21.55 +0100, Guido Trentalancia via refpolicy > wrote: >> Hello again. >> >> On Mon, 16/01/2017 at 20.24 -0800, Naftuli Kay via refpolicy wrote: >> > >> > I'm on Ubuntu 16.04 and I've just compiled the reference policy >> > via: >> > >> > git clone https://github.com/TresysTechnology/refpolicy.git >> > cd refpolicy >> > git submodule init >> > git submodule update >> > git checkout RELEASE_2_20161023 >> > ( cd policy/modules/contrib && git checkout RELEASE_2_20161023 ) >> > make conf >> > make install >> > >> > My build.conf looks like this: >> > >> > TYPE = standard >> > NAME = refpolicy >> > DISTRO = debian >> > UNK_PERMS = deny >> > DIRECT_INITRC = n >> > SYSTEMD = y >> > MONOLITHIC = n >> > UBAC = y >> > CUSTOM_BUILDOPT = >> > MLS_SENS = 16 >> > MLS_CATS = 1024 >> > MCS_CATS = 1024 >> > QUIET = n >> > >> > Pretty normal stuff. >> > >> > Unfortunately, though it properly loads at the time of "make >> > install," >> > it isn't installed into the expected directory by my distro. >> >> You shouldn't worry about the installation directory. The path that >> is >> being used should be fine. Part of the policy goes under /etc/selinux >> and part goes under /usr/share/selinux. >> >> > >> > Apparently, Ubuntu wants the binary files to be located at >> > /etc/selinux/$NAME. The upstream "selinux-policy-default" package >> > installs its dependencies to /etc/selinux/default and its contents >> > can >> > be viewed here: http://pastebin.com/8fXvdFUA >> > >> > Is there a variable I need to set to have the reference policy >> > install >> > itself/copy its files following this pattern to >> > /etc/selinux/refpolicy? >> >> The problem is that your "make load" build step fails, as far as I >> remember, and that is why you are not getting the policy.29 file in >> /etc/selinux/refpolicy. >> >> Can you try changing the TYPE of the policy in build.conf from >> "standard" to "mcs" and perform all the build steps again ? >> >> Also, please perform the build steps from the development directory >> located in your home and not on the installation subdirectory of >> /etc/selinux/refpolicy. > > In addition to using "mcs" instead of "standard" as the policy type, > you should revert the following patch if you are using the SELinux > tools which comes with Ubuntu: > > commit 1e0561caed7b90469c037a91ff4739dc24a2de54 > Author: Guido Trentalancia <guido@trentalancia.net> > Date: Fri Sep 2 12:58:42 2016 +0200 > > Avoid using deprecated semodule options (-b or --base) during "make > load". > > Signed-off-by: Guido Trentalancia <guido@trentalancia.net> > --- > Rules.modular | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > --- refpolicy-git-06082016-orig/Rules.modular 2016-08-06 21:26:43.257773849 +0200 > +++ refpolicy-git-06082016/Rules.modular 2016-09-02 12:36:07.214247080 +0200 > @@ -55,7 +55,7 @@ load: $(instpkg) $(appfiles) > # created by semanage > @echo "Loading configured modules." > @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath)) > - $(verbose) $(SEMODULE) -s $(NAME) -b $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod)) > + $(verbose) $(SEMODULE) -s $(NAME) -i $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod)) > > ######################################## > # > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy ^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] Install Directory for Reference Policy? 2017-02-06 3:53 ` Naftuli Kay @ 2017-02-07 22:52 ` Guido Trentalancia 2017-02-22 5:35 ` Naftuli Kay 0 siblings, 1 reply; 15+ messages in thread From: Guido Trentalancia @ 2017-02-07 22:52 UTC (permalink / raw) To: refpolicy Hello. You have surely done well to revert the patch that I told you, because the SELinux tools that you are using are based on an obsolete syntax. However, I believe that your policy has not been loaded, because of the additional errors that you quoted. The sestatus tool is just a very simple program that reads your SELinux configuration file and prints out the name of the policy that you have configured there... It is very limited. What matters is that semodule failed to load your new policy. It might be due to obsolete or incompatible versions of the tools and the libraries. Either you spend time to fully debug the problem or you try the latest SELinux tools and libraries. I hope this helps. Regards, Guido On the 6th of February 2017 04:53:30 CET, Naftuli Kay <rfkrocktk@gmail.com> wrote: >I have reverted that and I think that it is finally running as >expected, but I'm getting more errors: > >Can not stat: >/etc/selinux/refpolicy/contexts/files/file_contexts.local: >No such file or directory >libsemanage.sefcontext_compile: sefcontext_compile returned error code >1. Compiling /etc/selinux/refpolicy/contexts/files/file_contexts.local >libsemanage.semanage_install_active: Could not copy >/etc/selinux/refpolicy/modules/active/file_contexts.homedirs to >/etc/selinux/refpolicy/contexts/files/file_contexts.homedirs. (No such >file or directory). >/usr/sbin/semodule: Failed! >Rules.modular:56: recipe for target 'load' failed >make: *** [load] Error 1 > >However, refpolicy is FINALLY loaded: > >SELinux status: enabled >SELinuxfs mount: /sys/fs/selinux >SELinux root directory: /etc/selinux >Loaded policy name: refpolicy >Current mode: permissive >Mode from config file: permissive >Policy MLS status: disabled >Policy deny_unknown status: denied >Max kernel policy version: 30 > >Hooray! How can I fix these other build problems? I'm on the latest >stable release: 2.20170204. > >If these are simply Makefile issues, I might patch in to cover the >Ubuntu edge-case of semodule -b. > >Thanks, > - Naftuli Kay > > >On Tue, Jan 31, 2017 at 6:19 AM, Guido Trentalancia via refpolicy ><refpolicy@oss.tresys.com> wrote: >> On Mon, 30/01/2017 at 21.55 +0100, Guido Trentalancia via refpolicy >> wrote: >>> Hello again. >>> >>> On Mon, 16/01/2017 at 20.24 -0800, Naftuli Kay via refpolicy wrote: >>> > >>> > I'm on Ubuntu 16.04 and I've just compiled the reference policy >>> > via: >>> > >>> > git clone https://github.com/TresysTechnology/refpolicy.git >>> > cd refpolicy >>> > git submodule init >>> > git submodule update >>> > git checkout RELEASE_2_20161023 >>> > ( cd policy/modules/contrib && git checkout RELEASE_2_20161023 ) >>> > make conf >>> > make install >>> > >>> > My build.conf looks like this: >>> > >>> > TYPE = standard >>> > NAME = refpolicy >>> > DISTRO = debian >>> > UNK_PERMS = deny >>> > DIRECT_INITRC = n >>> > SYSTEMD = y >>> > MONOLITHIC = n >>> > UBAC = y >>> > CUSTOM_BUILDOPT = >>> > MLS_SENS = 16 >>> > MLS_CATS = 1024 >>> > MCS_CATS = 1024 >>> > QUIET = n >>> > >>> > Pretty normal stuff. >>> > >>> > Unfortunately, though it properly loads at the time of "make >>> > install," >>> > it isn't installed into the expected directory by my distro. >>> >>> You shouldn't worry about the installation directory. The path that >>> is >>> being used should be fine. Part of the policy goes under >/etc/selinux >>> and part goes under /usr/share/selinux. >>> >>> > >>> > Apparently, Ubuntu wants the binary files to be located at >>> > /etc/selinux/$NAME. The upstream "selinux-policy-default" package >>> > installs its dependencies to /etc/selinux/default and its contents >>> > can >>> > be viewed here: http://pastebin.com/8fXvdFUA >>> > >>> > Is there a variable I need to set to have the reference policy >>> > install >>> > itself/copy its files following this pattern to >>> > /etc/selinux/refpolicy? >>> >>> The problem is that your "make load" build step fails, as far as I >>> remember, and that is why you are not getting the policy.29 file in >>> /etc/selinux/refpolicy. >>> >>> Can you try changing the TYPE of the policy in build.conf from >>> "standard" to "mcs" and perform all the build steps again ? >>> >>> Also, please perform the build steps from the development directory >>> located in your home and not on the installation subdirectory of >>> /etc/selinux/refpolicy. >> >> In addition to using "mcs" instead of "standard" as the policy type, >> you should revert the following patch if you are using the SELinux >> tools which comes with Ubuntu: >> >> commit 1e0561caed7b90469c037a91ff4739dc24a2de54 >> Author: Guido Trentalancia <guido@trentalancia.net> >> Date: Fri Sep 2 12:58:42 2016 +0200 >> >> Avoid using deprecated semodule options (-b or --base) during "make >> load". >> >> Signed-off-by: Guido Trentalancia <guido@trentalancia.net> >> --- >> Rules.modular | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> --- refpolicy-git-06082016-orig/Rules.modular 2016-08-06 >21:26:43.257773849 +0200 >> +++ refpolicy-git-06082016/Rules.modular 2016-09-02 >12:36:07.214247080 +0200 >> @@ -55,7 +55,7 @@ load: $(instpkg) $(appfiles) >> # created by semanage >> @echo "Loading configured modules." >> @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath)) >> - $(verbose) $(SEMODULE) -s $(NAME) -b $(modpkgdir)/$(notdir >$(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod)) >> + $(verbose) $(SEMODULE) -s $(NAME) -i $(modpkgdir)/$(notdir >$(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod)) >> >> ######################################## >> # >> _______________________________________________ >> refpolicy mailing list >> refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy ^ permalink raw reply [flat|nested] 15+ messages in thread
* [refpolicy] Install Directory for Reference Policy? 2017-02-07 22:52 ` Guido Trentalancia @ 2017-02-22 5:35 ` Naftuli Kay 0 siblings, 0 replies; 15+ messages in thread From: Naftuli Kay @ 2017-02-22 5:35 UTC (permalink / raw) To: refpolicy Yes, I believe that I'll have to do some work to compile the userspace utilities and package them for my distribution. Thanks, - Naftuli Kay On Tue, Feb 7, 2017 at 2:52 PM, Guido Trentalancia via refpolicy < refpolicy@oss.tresys.com> wrote: > Hello. > > You have surely done well to revert the patch that I told you, because the > SELinux tools that you are using are based on an obsolete syntax. > > However, I believe that your policy has not been loaded, because of the > additional errors that you quoted. > > The sestatus tool is just a very simple program that reads your SELinux > configuration file and prints out the name of the policy that you have > configured there... It is very limited. > > What matters is that semodule failed to load your new policy. > > It might be due to obsolete or incompatible versions of the tools and the > libraries. Either you spend time to fully debug the problem or you try the > latest SELinux tools and libraries. > > I hope this helps. > > Regards, > > Guido > > On the 6th of February 2017 04:53:30 CET, Naftuli Kay <rfkrocktk@gmail.com> > wrote: > >I have reverted that and I think that it is finally running as > >expected, but I'm getting more errors: > > > >Can not stat: > >/etc/selinux/refpolicy/contexts/files/file_contexts.local: > >No such file or directory > >libsemanage.sefcontext_compile: sefcontext_compile returned error code > >1. Compiling /etc/selinux/refpolicy/contexts/files/file_contexts.local > >libsemanage.semanage_install_active: Could not copy > >/etc/selinux/refpolicy/modules/active/file_contexts.homedirs to > >/etc/selinux/refpolicy/contexts/files/file_contexts.homedirs. (No such > >file or directory). > >/usr/sbin/semodule: Failed! > >Rules.modular:56: recipe for target 'load' failed > >make: *** [load] Error 1 > > > >However, refpolicy is FINALLY loaded: > > > >SELinux status: enabled > >SELinuxfs mount: /sys/fs/selinux > >SELinux root directory: /etc/selinux > >Loaded policy name: refpolicy > >Current mode: permissive > >Mode from config file: permissive > >Policy MLS status: disabled > >Policy deny_unknown status: denied > >Max kernel policy version: 30 > > > >Hooray! How can I fix these other build problems? I'm on the latest > >stable release: 2.20170204. > > > >If these are simply Makefile issues, I might patch in to cover the > >Ubuntu edge-case of semodule -b. > > > >Thanks, > > - Naftuli Kay > > > > > >On Tue, Jan 31, 2017 at 6:19 AM, Guido Trentalancia via refpolicy > ><refpolicy@oss.tresys.com> wrote: > >> On Mon, 30/01/2017 at 21.55 +0100, Guido Trentalancia via refpolicy > >> wrote: > >>> Hello again. > >>> > >>> On Mon, 16/01/2017 at 20.24 -0800, Naftuli Kay via refpolicy wrote: > >>> > > >>> > I'm on Ubuntu 16.04 and I've just compiled the reference policy > >>> > via: > >>> > > >>> > git clone https://github.com/TresysTechnology/refpolicy.git > >>> > cd refpolicy > >>> > git submodule init > >>> > git submodule update > >>> > git checkout RELEASE_2_20161023 > >>> > ( cd policy/modules/contrib && git checkout RELEASE_2_20161023 ) > >>> > make conf > >>> > make install > >>> > > >>> > My build.conf looks like this: > >>> > > >>> > TYPE = standard > >>> > NAME = refpolicy > >>> > DISTRO = debian > >>> > UNK_PERMS = deny > >>> > DIRECT_INITRC = n > >>> > SYSTEMD = y > >>> > MONOLITHIC = n > >>> > UBAC = y > >>> > CUSTOM_BUILDOPT = > >>> > MLS_SENS = 16 > >>> > MLS_CATS = 1024 > >>> > MCS_CATS = 1024 > >>> > QUIET = n > >>> > > >>> > Pretty normal stuff. > >>> > > >>> > Unfortunately, though it properly loads at the time of "make > >>> > install," > >>> > it isn't installed into the expected directory by my distro. > >>> > >>> You shouldn't worry about the installation directory. The path that > >>> is > >>> being used should be fine. Part of the policy goes under > >/etc/selinux > >>> and part goes under /usr/share/selinux. > >>> > >>> > > >>> > Apparently, Ubuntu wants the binary files to be located at > >>> > /etc/selinux/$NAME. The upstream "selinux-policy-default" package > >>> > installs its dependencies to /etc/selinux/default and its contents > >>> > can > >>> > be viewed here: http://pastebin.com/8fXvdFUA > >>> > > >>> > Is there a variable I need to set to have the reference policy > >>> > install > >>> > itself/copy its files following this pattern to > >>> > /etc/selinux/refpolicy? > >>> > >>> The problem is that your "make load" build step fails, as far as I > >>> remember, and that is why you are not getting the policy.29 file in > >>> /etc/selinux/refpolicy. > >>> > >>> Can you try changing the TYPE of the policy in build.conf from > >>> "standard" to "mcs" and perform all the build steps again ? > >>> > >>> Also, please perform the build steps from the development directory > >>> located in your home and not on the installation subdirectory of > >>> /etc/selinux/refpolicy. > >> > >> In addition to using "mcs" instead of "standard" as the policy type, > >> you should revert the following patch if you are using the SELinux > >> tools which comes with Ubuntu: > >> > >> commit 1e0561caed7b90469c037a91ff4739dc24a2de54 > >> Author: Guido Trentalancia <guido@trentalancia.net> > >> Date: Fri Sep 2 12:58:42 2016 +0200 > >> > >> Avoid using deprecated semodule options (-b or --base) during "make > >> load". > >> > >> Signed-off-by: Guido Trentalancia <guido@trentalancia.net> > >> --- > >> Rules.modular | 2 +- > >> 1 file changed, 1 insertion(+), 1 deletion(-) > >> > >> --- refpolicy-git-06082016-orig/Rules.modular 2016-08-06 > >21:26:43.257773849 +0200 > >> +++ refpolicy-git-06082016/Rules.modular 2016-09-02 > >12:36:07.214247080 +0200 > >> @@ -55,7 +55,7 @@ load: $(instpkg) $(appfiles) > >> # created by semanage > >> @echo "Loading configured modules." > >> @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath)) > >> - $(verbose) $(SEMODULE) -s $(NAME) -b $(modpkgdir)/$(notdir > >$(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod)) > >> + $(verbose) $(SEMODULE) -s $(NAME) -i $(modpkgdir)/$(notdir > >$(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod)) > >> > >> ######################################## > >> # > >> _______________________________________________ > >> refpolicy mailing list > >> refpolicy at oss.tresys.com > >> http://oss.tresys.com/mailman/listinfo/refpolicy > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20170221/a9b56d8e/attachment.html ^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2017-02-22 5:35 UTC | newest] Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2017-01-17 4:24 [refpolicy] Install Directory for Reference Policy? Naftuli Kay 2017-01-17 5:05 ` Thomas 2017-01-17 18:09 ` Naftuli Kay 2017-01-17 18:21 ` Naftuli Kay 2017-01-17 23:11 ` Guido Trentalancia 2017-01-29 19:14 ` Naftuli Kay 2017-01-29 20:29 ` Guido Trentalancia 2017-01-29 20:59 ` Guido Trentalancia 2017-01-29 22:43 ` Guido Trentalancia 2017-01-30 18:45 ` Naftuli Kay 2017-01-30 20:55 ` Guido Trentalancia 2017-01-31 14:19 ` Guido Trentalancia 2017-02-06 3:53 ` Naftuli Kay 2017-02-07 22:52 ` Guido Trentalancia 2017-02-22 5:35 ` Naftuli Kay
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.