selinux-refpolicy.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Richard Haines <richard_c_haines@btinternet.com>
To: Ashish Mishra <ashishm@mvista.com>
Cc: selinux-refpolicy@vger.kernel.org,
	Paul Moore <paul@paul-moore.com>,
	SElinux list <selinux@vger.kernel.org>
Subject: Re: How is policy.31 created from modules under /usr/share/selinux
Date: Sun, 06 Dec 2020 15:29:32 +0000	[thread overview]
Message-ID: <858c9383f7c75e1e39bafaeab6388cd6af902c4f.camel@btinternet.com> (raw)
In-Reply-To: <CAP2OjcjCFYiyMfqa=X__X6g0U0143U5Fd-xGaKJgGNabFUpr7w@mail.gmail.com>

On Sun, 2020-12-06 at 00:49 +0530, Ashish Mishra wrote:
> Hi All  ,
> 
> Good Morning .
> 
> I am following the SELINUX NOTEBOOK & trying the same at my end .
> 
> - The refpolicy modules are copied at /usr/share/selinux/refpolicy
>    i can see around 400+ modules there .
>    But can senior member' s please help me understand how is the
>    /etc/selinux/refpolicy/policy/policy.31  created using the modules
> available at
>    /usr/share/selinux
>    The command i followed :
>                 $ make install-src
>                 $ make conf
>                 $ make load ( tried even $ make install )
>                 $ make install-headers
> 

Just to be clear (as you didn't state whether the binary policy file
was built at all), if you run these commands:

mkdir refpol
cd refpol
git clone https://github.com/SELinuxProject/refpolicy.git
Edit build.conf file to requirements (e.g. NAME = refpolicy etc.)
make install-src
cd /etc/selinux/refpolicy/src/policy
make conf
make load
make install-headers

The policy binary file should now be created at:
  /etc/selinux/refpolicy/policy/policy.31 (or .32 if Fedora 33)
True ??

To add a new module (that will rebuild the binary policy file) you can
install the new *.te *.if and *.fc files in a directory and run from
that directory (you will need to ensure /etc/selinux/config has
SELINUXTYPE=refpolicy set):

make -f /usr/share/selinux/refpolicy/include/Makefile load

This Makefile basically reads the build.conf file, uses checkmodule to
build the *.pp file, then semodule to add to store and build the binary
policy (also using the prebuilt /usr/share/selinux/refpolicy/*.pp
files).

I've just tried this on Fedora 33 with no problems.

Note: While running through example this I noticed an error in the
Notebook - the Reference policy does not have a contibute section, I'll
send patch to remove:

Add the contibuted modules (policy/modules/contrib)
git submodule init
git submodule update

> 
> - This can help me to debug an issue where i am trying to get selinux
> of my custom
>    distro where all the make command are successfully executed but
> the policy.31
>    is not getting created
> 
> - I can even see the "include" folder also getting created for make
> install-headers
> 
> Any pointers will be helpful or please let me know if i am missing
> any
> aspect here .
> 
> Thanks ,
> Ashish.



  reply	other threads:[~2020-12-18  8:24 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-12-05 19:19 How is policy.31 created from modules under /usr/share/selinux Ashish Mishra
2020-12-06 15:29 ` Richard Haines [this message]
2020-12-06 16:30   ` Ashish Mishra
2020-12-06 17:15     ` Richard Haines
2020-12-07  1:21       ` Ashish Mishra
2020-12-07 12:39         ` Richard Haines
2020-12-07 13:26           ` Ashish Mishra
2020-12-08 15:36             ` Chris PeBenito
2020-12-08 15:58               ` Ashish Mishra
2020-12-09  9:53                 ` Richard Haines
2020-12-09 14:12                   ` Ashish Mishra
2020-12-09 14:37                     ` Richard Haines
2020-12-09 15:07                       ` Steve Lawrence
2020-12-09 16:13                         ` Richard Haines
2020-12-09 22:02                           ` Chris PeBenito
2020-12-13 17:06                             ` Ashish Mishra
2020-12-14 15:16                               ` Chris PeBenito

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=858c9383f7c75e1e39bafaeab6388cd6af902c4f.camel@btinternet.com \
    --to=richard_c_haines@btinternet.com \
    --cc=ashishm@mvista.com \
    --cc=paul@paul-moore.com \
    --cc=selinux-refpolicy@vger.kernel.org \
    --cc=selinux@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).