From: Ashish Mishra <ashishm@mvista.com>
To: Richard Haines <richard_c_haines@btinternet.com>
Cc: selinux-refpolicy@vger.kernel.org,
Paul Moore <paul@paul-moore.com>,
SElinux list <selinux@vger.kernel.org>
Subject: Re: How is policy.31 created from modules under /usr/share/selinux
Date: Mon, 7 Dec 2020 06:51:21 +0530 [thread overview]
Message-ID: <CAP2OjchJjMo8zMVvHk-_esu-53E0=367yV8cuZtwQwubi7+q=Q@mail.gmail.com> (raw)
In-Reply-To: <e82841a8b652f4b4b697ba1e417fdac56f443adb.camel@btinternet.com>
[-- Attachment #1: Type: text/plain, Size: 6525 bytes --]
Hi Richard ,
1) There are approx 426 *.pp files being created under
/usr/share/selinux/refpolicy
Attached is the log , which contains the list of files .
2) I can confirm the stages till semodule
3) This is a custom Linux SDK 4.x series BSP on which i am trying to
get the refpolicy
installed .
4) Any pointers to verify if make load is happening as expected or
https://github.com/SELinuxProject/selinux installation
Because i am not observing any error here during make -v .
I am trying to look at the probable cause / pointers to debug the
missing policy.31 file here.
Any inputs will be helpful .
Thanks .
Ashish
On Sun, Dec 6, 2020 at 10:45 PM Richard Haines
<richard_c_haines@btinternet.com> wrote:
>
> On Sun, 2020-12-06 at 22:00 +0530, Ashish Mishra wrote:
> > Hi Richard ,
> >
> > Thanks for replying back.
> >
> > 1) The policy.31 binary is not getting created at:
> > /etc/selinux/refpolicy/policy/policy.31
> >
> > 2) Using the verbose of makefile I can see that the semodule command
> > is reached .
> > But even in verbose mode , I can't see any action / command
> > message
> > shown for policy.31 being created.
> > Hence I am trying to understand how the final policy.31 file is
> > being created .
>
> You will not see a reference to 'policy.31' when running semodule. It
> just takes the large list of modules and its store id, the rest is
> magic (the default name is 'policy', the version is derived from the
> policy-version= entry in the semanage.conf file or the kernel default).
> It then adds the policy binary file to:
>
> /etc/selinux/<SELINUXTYPE>/policy/policy.<ver>
>
> Where <SELINUXTYPE> is the policy store id that should match the
> /etc/selinux/config SELINUXTYPE= entry when loading the policy.
>
> For example when I run 'make -d load' I see (cutdown):
>
> Loading configured modules.
> /usr/sbin/semodule -s refpolicy -i /usr/share/selinux/refpolicy/base.pp
> -i /usr/share/selinux/refpolicy/abrt.pp ......
>
> BTW what distro/version are you using as I use Fedora 33 that by
> default generates an '/etc/selinux/refpolicy/policy/policy.32' binary
> file.
>
> >
> > 3) Below are the files being created under /etc/selinux :
> > refpolicy/contexts:
> > customizable_types default_type initrc_context
> > removable_context userhelper_context virtual_image_context
> > dbus_contexts failsafe_context lxc_contexts
> > securetty_types users x_contexts
> > default_contexts files openrc_contexts
> > sepgsql_contexts virtual_domain_context
> >
> > refpolicy/policy:
> My initial thought is that 'make load' is not being called or something
> is wrong with 'https://github.com/SELinuxProject/selinux' installation
>
> >
> > refpolicy/src:
> > policy
> >
> >
> > 4) Below are the files being created under
>
> Are there any *.pp files under:
> /usr/share/selinux/refpolicy
>
> If not again looks like 'https://github.com/SELinuxProject/selinux'
> installation problem checkpolicy/checkmodule ??
>
> > /usr/share/selinux/refpolicy/include/
> > admin apps build.conf global_tunables.xml
> > kernel.xml roles services support system.xml
> > admin.xml apps.xml global_booleans.xml kernel
> > Makefile roles.xml services.xml system
> >
> > Any pointer of probable aspect which can cause such error as I am
> > trying to understand
> > how policy.31 binary is created from individual modules
> >
> > Thanks ,
> > Ashish
> >
> >
> >
> >
> > On Sun, Dec 6, 2020 at 8:59 PM Richard Haines
> > <richard_c_haines@btinternet.com> wrote:
> > >
> > > On Sun, 2020-12-06 at 00:49 +0530, Ashish Mishra wrote:
> > > > Hi All ,
> > > >
> > > > Good Morning .
> > > >
> > > > I am following the SELINUX NOTEBOOK & trying the same at my end .
> > > >
> > > > - The refpolicy modules are copied at
> > > > /usr/share/selinux/refpolicy
> > > > i can see around 400+ modules there .
> > > > But can senior member' s please help me understand how is the
> > > > /etc/selinux/refpolicy/policy/policy.31 created using the
> > > > modules
> > > > available at
> > > > /usr/share/selinux
> > > > The command i followed :
> > > > $ make install-src
> > > > $ make conf
> > > > $ make load ( tried even $ make install )
> > > > $ make install-headers
> > > >
> > >
> > > Just to be clear (as you didn't state whether the binary policy
> > > file
> > > was built at all), if you run these commands:
> > >
> > > mkdir refpol
> > > cd refpol
> > > git clone https://github.com/SELinuxProject/refpolicy.git
> > > Edit build.conf file to requirements (e.g. NAME = refpolicy etc.)
> > > make install-src
> > > cd /etc/selinux/refpolicy/src/policy
> > > make conf
> > > make load
> > > make install-headers
> > >
> > > The policy binary file should now be created at:
> > > /etc/selinux/refpolicy/policy/policy.31 (or .32 if Fedora 33)
> > > True ??
> > >
> > > To add a new module (that will rebuild the binary policy file) you
> > > can
> > > install the new *.te *.if and *.fc files in a directory and run
> > > from
> > > that directory (you will need to ensure /etc/selinux/config has
> > > SELINUXTYPE=refpolicy set):
> > >
> > > make -f /usr/share/selinux/refpolicy/include/Makefile load
> > >
> > > This Makefile basically reads the build.conf file, uses checkmodule
> > > to
> > > build the *.pp file, then semodule to add to store and build the
> > > binary
> > > policy (also using the prebuilt /usr/share/selinux/refpolicy/*.pp
> > > files).
> > >
> > > I've just tried this on Fedora 33 with no problems.
> > >
> > > Note: While running through example this I noticed an error in the
> > > Notebook - the Reference policy does not have a contibute section,
> > > I'll
> > > send patch to remove:
> > >
> > > Add the contibuted modules (policy/modules/contrib)
> > > git submodule init
> > > git submodule update
> > >
> > > >
> > > > - This can help me to debug an issue where i am trying to get
> > > > selinux
> > > > of my custom
> > > > distro where all the make command are successfully executed
> > > > but
> > > > the policy.31
> > > > is not getting created
> > > >
> > > > - I can even see the "include" folder also getting created for
> > > > make
> > > > install-headers
> > > >
> > > > Any pointers will be helpful or please let me know if i am
> > > > missing
> > > > any
> > > > aspect here .
> > > >
> > > > Thanks ,
> > > > Ashish.
> > >
> > >
>
>
[-- Attachment #2: usr-share-selinux-refpolicy.txt --]
[-- Type: text/plain, Size: 7280 bytes --]
/tmp/_home_octeon_linux_embedded_rootfs-rootfs/usr/share/selinux/refpolicy:() :: ls
abrt.pp clamav.pp fakehwclock.pp jockey.pp mrtg.pp procmail.pp sensord.pp tzdata.pp
accountsd.pp clock.pp fcoe.pp kdumpgui.pp mta.pp psad.pp setrans.pp ucspitcp.pp
acct.pp clockspeed.pp fetchmail.pp kdump.pp munin.pp ptchown.pp setroubleshoot.pp udev.pp
acpi.pp clogd.pp finger.pp kerberos.pp mysql.pp publicfile.pp seunshare.pp ulogd.pp
afs.pp cmirrord.pp firewalld.pp kerneloops.pp nagios.pp pulseaudio.pp shibboleth.pp uml.pp
aiccu.pp cobbler.pp firewallgui.pp keyboardd.pp ncftool.pp puppet.pp shorewall.pp unconfined.pp
aide.pp collectd.pp firstboot.pp keystone.pp nessus.pp pwauth.pp shutdown.pp unprivuser.pp
aisexec.pp colord.pp fprintd.pp kismet.pp netlabel.pp pxe.pp sigrok.pp updfstab.pp
alsa.pp comsat.pp fstools.pp knot.pp netutils.pp pyicqt.pp slocate.pp uptime.pp
amanda.pp condor.pp ftp.pp ksmtuned.pp networkmanager.pp pyzor.pp slpd.pp usbguard.pp
amavis.pp consolekit.pp games.pp ktalk.pp nis.pp qemu.pp slrnpull.pp usbmodules.pp
amtu.pp consolesetup.pp gatekeeper.pp kudzu.pp nscd.pp qmail.pp smartmon.pp usbmuxd.pp
anaconda.pp consoletype.pp gdomap.pp l2tp.pp nsd.pp qpid.pp smokeping.pp userdomain.pp
apache.pp corosync.pp geoclue.pp ldap.pp nslcd.pp quantum.pp smoltclient.pp userhelper.pp
apcupsd.pp couchdb.pp getty.pp libmtp.pp ntop.pp quota.pp smstools.pp usermanage.pp
application.pp courier.pp gift.pp libraries.pp ntp.pp rabbitmq.pp snmp.pp usernetctl.pp
aptcacher.pp cpucontrol.pp gitosis.pp lightsquid.pp numad.pp radius.pp snort.pp uucp.pp
apt.pp cpufreqselector.pp git.pp likewise.pp nut.pp radvd.pp sosreport.pp uuidd.pp
arpwatch.pp cron.pp glance.pp lircd.pp nx.pp raid.pp soundserver.pp uwimap.pp
asterisk.pp cryfs.pp glusterfs.pp livecd.pp oav.pp razor.pp spamassassin.pp varnishd.pp
auditadm.pp ctdb.pp gnomeclock.pp lldpad.pp obex.pp rdisc.pp speedtouch.pp vbetool.pp
authlogin.pp cups.pp gnome.pp loadkeys.pp oddjob.pp readahead.pp squid.pp vdagent.pp
automount.pp cvs.pp gpg.pp locallogin.pp oident.pp realmd.pp ssh.pp vhostmd.pp
avahi.pp cyphesis.pp gpm.pp lockdev.pp openca.pp redis.pp sssd.pp virt.pp
awstats.pp cyrus.pp gpsd.pp logadm.pp openct.pp remotelogin.pp staff.pp vlock.pp
backup.pp daemontools.pp gssproxy.pp logging.pp openhpi.pp resmgr.pp storage.pp vmware.pp
bacula.pp dante.pp guest.pp logrotate.pp openoffice.pp rgmanager.pp stubby.pp vnstatd.pp
base.pp dbadm.pp hadoop.pp logwatch.pp openvpn.pp rhcs.pp stunnel.pp vpn.pp
bcfg2.pp dbskk.pp hal.pp lpd.pp openvswitch.pp rhgb.pp sudo.pp w3c.pp
bind.pp dbus.pp hddtemp.pp lsm.pp pacemaker.pp rhsmcertd.pp su.pp watchdog.pp
bird.pp dcc.pp hostapd.pp lvm.pp pads.pp ricci.pp svnserve.pp wdmd.pp
bitlbee.pp ddclient.pp hostname.pp mailman.pp passenger.pp rkhunter.pp sxid.pp webadm.pp
blueman.pp ddcprobe.pp hotplug.pp mailscanner.pp pcmcia.pp rlogin.pp syncthing.pp webalizer.pp
bluetooth.pp denyhosts.pp howl.pp man2html.pp pcscd.pp rngd.pp sysadm.pp wine.pp
boinc.pp devicekit.pp hwloc.pp mandb.pp pegasus.pp roundup.pp sysnetwork.pp wireguard.pp
bootloader.pp dhcp.pp hypervkvp.pp mcelog.pp perdition.pp rpcbind.pp sysstat.pp wireshark.pp
brctl.pp dictd.pp i18n_input.pp mediawiki.pp pingd.pp rpc.pp systemd.pp wm.pp
bugzilla.pp dirmngr.pp icecast.pp memcached.pp pkcs.pp rpm.pp systemtap.pp xdg.pp
cachefilesd.pp distcc.pp ifplugd.pp milter.pp plymouthd.pp rshd.pp tboot.pp xen.pp
calamaris.pp djbdns.pp imaze.pp minidlna.pp podsleuth.pp rssh.pp tcpd.pp xfs.pp
callweaver.pp dkim.pp include minissdpd.pp policykit.pp rsync.pp tcsd.pp xguest.pp
canna.pp dmesg.pp inetd.pp miscfiles.pp polipo.pp rtkit.pp telepathy.pp xprint.pp
ccs.pp dmidecode.pp init.pp modemmanager.pp portage.pp rwho.pp telnet.pp xscreensaver.pp
cdrecord.pp dnsmasq.pp inn.pp modutils.pp portmap.pp sambagui.pp tftp.pp xserver.pp
certmaster.pp dnssectrigger.pp iodine.pp mojomojo.pp portreserve.pp samba.pp tgtd.pp yam.pp
certmonger.pp dovecot.pp ipsec.pp mongodb.pp portslave.pp samhain.pp thunderbird.pp zabbix.pp
certwatch.pp dphysswapfile.pp iptables.pp monit.pp postfixpolicyd.pp sanlock.pp timidity.pp zarafa.pp
cfengine.pp dpkg.pp ircd.pp mono.pp postfix.pp sasl.pp tmpreaper.pp zebra.pp
cgmanager.pp drbd.pp irc.pp monop.pp postgresql.pp sblim.pp tor.pp zosremote.pp
cgroup.pp dspam.pp irqbalance.pp mon.pp postgrey.pp screen.pp tpm2.pp
chkrootkit.pp entropyd.pp iscsi.pp mount.pp ppp.pp secadm.pp transproxy.pp
chromium.pp evolution.pp isns.pp mozilla.pp prelink.pp sectoolm.pp tripwire.pp
chronyd.pp exim.pp jabber.pp mpd.pp prelude.pp selinuxutil.pp tuned.pp
cipe.pp fail2ban.pp java.pp mplayer.pp privoxy.pp sendmail.pp tvtime.pp
/tmp/_home_octeon_linux_embedded_rootfs-rootfs/usr/share/selinux/refpolicy:() ::
next prev parent reply other threads:[~2020-12-07 1:22 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-05 19:19 How is policy.31 created from modules under /usr/share/selinux Ashish Mishra
2020-12-06 15:29 ` Richard Haines
2020-12-06 16:30 ` Ashish Mishra
2020-12-06 17:15 ` Richard Haines
2020-12-07 1:21 ` Ashish Mishra [this message]
2020-12-07 12:39 ` Richard Haines
2020-12-07 13:26 ` Ashish Mishra
2020-12-08 15:36 ` Chris PeBenito
2020-12-08 15:58 ` Ashish Mishra
2020-12-09 9:53 ` Richard Haines
2020-12-09 14:12 ` Ashish Mishra
2020-12-09 14:37 ` Richard Haines
2020-12-09 15:07 ` Steve Lawrence
2020-12-09 16:13 ` Richard Haines
2020-12-09 22:02 ` Chris PeBenito
2020-12-13 17:06 ` Ashish Mishra
2020-12-14 15:16 ` Chris PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAP2OjchJjMo8zMVvHk-_esu-53E0=367yV8cuZtwQwubi7+q=Q@mail.gmail.com' \
--to=ashishm@mvista.com \
--cc=paul@paul-moore.com \
--cc=richard_c_haines@btinternet.com \
--cc=selinux-refpolicy@vger.kernel.org \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).