[refpolicy] Using monolithic policy for embedded device

[refpolicy] Using monolithic policy for embedded device

[Sagiv Dvash]

Hello all,

I am new to SELinux and my goal is to implement a custom, small policy on
an embedded device.
Currently, i have a working modified (narrowed down) policy based on the
targeted refpolicy (modular policy). I use a custom openembedded
environment.

My thought was that since I aim to use the policy on an embedded device (so
no changes should be made to the policy on target), using a monolithic
policy will save space and I could also save up some system resources.

I am having trouble switching to monolithic policy. The main issue is the
'duplicate role transition for XYZ' error. This error occurs for almost any
module that is not tagged as "base" in the modules.conf file. From my
understanding of the SELinux Notebook, all of the modules tagged as
'module' in the modules.conf file should be compiled along with those
tagged as 'base' modules when using monolithic policy.

Here is an example log for one of these errors:

| full_path/checkpolicy -M -c 29 -U allow policy.conf -o policy.29
| policy/modules/roles/sysadm.te:493:ERROR 'duplicate role transition for
(sysadm_r,iptables_initrc_exec_t,process)' at token ';' on line 515081:
| #line 493
|                       role_transition sysadm_r iptables_initrc_exec_t
system_r;
| checkpolicy:  error(s) encountered while parsing configuration


In order to be sure that the error is not caused by any additions of I
made, I reverted back to the targeted policy and tried again - and got
similar errors.

Any hint on how to deal with this?

Thanks,
Sagiv.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20160822/b4e50c9c/attachment.html 

[refpolicy] Using monolithic policy for embedded device

[Dominick Grift]

On 08/22/2016 09:18 AM, Sagiv Dvash via refpolicy wrote:
> Hello all,
> 
> I am new to SELinux and my goal is to implement a custom, small policy on
> an embedded device.
> Currently, i have a working modified (narrowed down) policy based on the
> targeted refpolicy (modular policy). I use a custom openembedded
> environment.
> 
> My thought was that since I aim to use the policy on an embedded device (so
> no changes should be made to the policy on target), using a monolithic
> policy will save space and I could also save up some system resources.
> 
> I am having trouble switching to monolithic policy. The main issue is the
> 'duplicate role transition for XYZ' error. This error occurs for almost any
> module that is not tagged as "base" in the modules.conf file. From my
> understanding of the SELinux Notebook, all of the modules tagged as
> 'module' in the modules.conf file should be compiled along with those
> tagged as 'base' modules when using monolithic policy.
> 
> Here is an example log for one of these errors:
> 
> | full_path/checkpolicy -M -c 29 -U allow policy.conf -o policy.29
> | policy/modules/roles/sysadm.te:493:ERROR 'duplicate role transition for
> (sysadm_r,iptables_initrc_exec_t,process)' at token ';' on line 515081:
> | #line 493
> |                       role_transition sysadm_r iptables_initrc_exec_t
> system_r;
> | checkpolicy:  error(s) encountered while parsing configuration
> 
> 
> In order to be sure that the error is not caused by any additions of I
> made, I reverted back to the targeted policy and tried again - and got
> similar errors.
> 
> Any hint on how to deal with this?
> 

Are you actually using reference policy or some refpolicy fork? Note
that for example the RedHat reference policy forks differ quite a bit
from upstream reference policy, and so it may be a fork specific issue.

I use to do "quick-tests", every time I commit to refpolicy-contrib. To
ensure that the repolicy builds (also in a monolithic config), and I
strongly suspect that the maintainer does this as well.

> Thanks,
> Sagiv.
> 
> 
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
> 


-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160822/7853847d/attachment.bin 

[refpolicy] Using monolithic policy for embedded device

[Dominick Grift]

On 08/22/2016 09:28 AM, Dominick Grift wrote:
> On 08/22/2016 09:18 AM, Sagiv Dvash via refpolicy wrote:
>> Hello all,
>>
>> I am new to SELinux and my goal is to implement a custom, small policy on
>> an embedded device.
>> Currently, i have a working modified (narrowed down) policy based on the
>> targeted refpolicy (modular policy). I use a custom openembedded
>> environment.
>>
>> My thought was that since I aim to use the policy on an embedded device (so
>> no changes should be made to the policy on target), using a monolithic
>> policy will save space and I could also save up some system resources.
>>
>> I am having trouble switching to monolithic policy. The main issue is the
>> 'duplicate role transition for XYZ' error. This error occurs for almost any
>> module that is not tagged as "base" in the modules.conf file. From my
>> understanding of the SELinux Notebook, all of the modules tagged as
>> 'module' in the modules.conf file should be compiled along with those
>> tagged as 'base' modules when using monolithic policy.
>>
>> Here is an example log for one of these errors:
>>
>> | full_path/checkpolicy -M -c 29 -U allow policy.conf -o policy.29
>> | policy/modules/roles/sysadm.te:493:ERROR 'duplicate role transition for
>> (sysadm_r,iptables_initrc_exec_t,process)' at token ';' on line 515081:
>> | #line 493
>> |                       role_transition sysadm_r iptables_initrc_exec_t
>> system_r;
>> | checkpolicy:  error(s) encountered while parsing configuration
>>
>>
>> In order to be sure that the error is not caused by any additions of I
>> made, I reverted back to the targeted policy and tried again - and got
>> similar errors.
>>
>> Any hint on how to deal with this?
>>
> 
> Are you actually using reference policy or some refpolicy fork? Note
> that for example the RedHat reference policy forks differ quite a bit
> from upstream reference policy, and so it may be a fork specific issue.
> 
> I use to do "quick-tests", every time I commit to refpolicy-contrib. To
> ensure that the repolicy builds (also in a monolithic config), and I
> strongly suspect that the maintainer does this as well.
> 

I just ran my "super-quick-test" on up-to-date refpolicy, and it
succeeded. So as far as i am concerned monolithic policy builds fine but
i may be overlooking things.

I recorded this and sent it to youtube.

https://www.youtube.com/watch?v=cI16FtUKqPk

As i said, the RedHat fork differs a great deal from reference policy
and on top of that RedHat does not test monolithic builds (because they
only "support" modular builds)

So either its a RedHat specific issue, or you are doing it wrong. I
suggest that you use the Makefile that is provided with reference policy
(see my video for hints on how to build refpolicy)

Other than the above, I do not know what may cause this for you. Maybe
others have ideas.

>> Thanks,
>> Sagiv.
>>
>>
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>
> 
> 


-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160822/80b3a9cf/attachment-0001.bin 

[refpolicy] Using monolithic policy for embedded device

[Chris PeBenito]

On 08/22/16 04:31, Dominick Grift via refpolicy wrote:
> On 08/22/2016 09:28 AM, Dominick Grift wrote:
>> On 08/22/2016 09:18 AM, Sagiv Dvash via refpolicy wrote:
>>> Hello all,
>>>
>>> I am new to SELinux and my goal is to implement a custom, small policy on
>>> an embedded device.
>>> Currently, i have a working modified (narrowed down) policy based on the
>>> targeted refpolicy (modular policy). I use a custom openembedded
>>> environment.
>>>
>>> My thought was that since I aim to use the policy on an embedded device (so
>>> no changes should be made to the policy on target), using a monolithic
>>> policy will save space and I could also save up some system resources.
>>>
>>> I am having trouble switching to monolithic policy. The main issue is the
>>> 'duplicate role transition for XYZ' error. This error occurs for almost any
>>> module that is not tagged as "base" in the modules.conf file. From my
>>> understanding of the SELinux Notebook, all of the modules tagged as
>>> 'module' in the modules.conf file should be compiled along with those
>>> tagged as 'base' modules when using monolithic policy.
>>>
>>> Here is an example log for one of these errors:
>>>
>>> | full_path/checkpolicy -M -c 29 -U allow policy.conf -o policy.29
>>> | policy/modules/roles/sysadm.te:493:ERROR 'duplicate role transition for
>>> (sysadm_r,iptables_initrc_exec_t,process)' at token ';' on line 515081:
>>> | #line 493
>>> |                       role_transition sysadm_r iptables_initrc_exec_t
>>> system_r;
>>> | checkpolicy:  error(s) encountered while parsing configuration
>>>
>>>
>>> In order to be sure that the error is not caused by any additions of I
>>> made, I reverted back to the targeted policy and tried again - and got
>>> similar errors.
>>>
>>> Any hint on how to deal with this?
>>>
>>
>> Are you actually using reference policy or some refpolicy fork? Note
>> that for example the RedHat reference policy forks differ quite a bit
>> from upstream reference policy, and so it may be a fork specific issue.
>>
>> I use to do "quick-tests", every time I commit to refpolicy-contrib. To
>> ensure that the repolicy builds (also in a monolithic config), and I
>> strongly suspect that the maintainer does this as well.
>>
>
> I just ran my "super-quick-test" on up-to-date refpolicy, and it
> succeeded. So as far as i am concerned monolithic policy builds fine but
> i may be overlooking things.
>
> I recorded this and sent it to youtube.
>
> https://www.youtube.com/watch?v=cI16FtUKqPk
>
> As i said, the RedHat fork differs a great deal from reference policy
> and on top of that RedHat does not test monolithic builds (because they
> only "support" modular builds)
>
> So either its a RedHat specific issue, or you are doing it wrong. I
> suggest that you use the Makefile that is provided with reference policy
> (see my video for hints on how to build refpolicy)
>
> Other than the above, I do not know what may cause this for you. Maybe
> others have ideas.

I'm not aware of any monolithic build problems, but I also can't test 
all combinations of modules.  I do local tests before I push and use 
TravisCI to run more extensive tests:

https://travis-ci.org/TresysTechnology/refpolicy/builds/152252796


-- 
Chris PeBenito