Hi Richard , 1) There are approx 426 *.pp files being created under /usr/share/selinux/refpolicy Attached is the log , which contains the list of files . 2) I can confirm the stages till semodule 3) This is a custom Linux SDK 4.x series BSP on which i am trying to get the refpolicy installed . 4) Any pointers to verify if make load is happening as expected or https://github.com/SELinuxProject/selinux installation Because i am not observing any error here during make -v . I am trying to look at the probable cause / pointers to debug the missing policy.31 file here. Any inputs will be helpful . Thanks . Ashish On Sun, Dec 6, 2020 at 10:45 PM Richard Haines wrote: > > On Sun, 2020-12-06 at 22:00 +0530, Ashish Mishra wrote: > > Hi Richard , > > > > Thanks for replying back. > > > > 1) The policy.31 binary is not getting created at: > > /etc/selinux/refpolicy/policy/policy.31 > > > > 2) Using the verbose of makefile I can see that the semodule command > > is reached . > > But even in verbose mode , I can't see any action / command > > message > > shown for policy.31 being created. > > Hence I am trying to understand how the final policy.31 file is > > being created . > > You will not see a reference to 'policy.31' when running semodule. It > just takes the large list of modules and its store id, the rest is > magic (the default name is 'policy', the version is derived from the > policy-version= entry in the semanage.conf file or the kernel default). > It then adds the policy binary file to: > > /etc/selinux//policy/policy. > > Where is the policy store id that should match the > /etc/selinux/config SELINUXTYPE= entry when loading the policy. > > For example when I run 'make -d load' I see (cutdown): > > Loading configured modules. > /usr/sbin/semodule -s refpolicy -i /usr/share/selinux/refpolicy/base.pp > -i /usr/share/selinux/refpolicy/abrt.pp ...... > > BTW what distro/version are you using as I use Fedora 33 that by > default generates an '/etc/selinux/refpolicy/policy/policy.32' binary > file. > > > > > 3) Below are the files being created under /etc/selinux : > > refpolicy/contexts: > > customizable_types default_type initrc_context > > removable_context userhelper_context virtual_image_context > > dbus_contexts failsafe_context lxc_contexts > > securetty_types users x_contexts > > default_contexts files openrc_contexts > > sepgsql_contexts virtual_domain_context > > > > refpolicy/policy: > My initial thought is that 'make load' is not being called or something > is wrong with 'https://github.com/SELinuxProject/selinux' installation > > > > > refpolicy/src: > > policy > > > > > > 4) Below are the files being created under > > Are there any *.pp files under: > /usr/share/selinux/refpolicy > > If not again looks like 'https://github.com/SELinuxProject/selinux' > installation problem checkpolicy/checkmodule ?? > > > /usr/share/selinux/refpolicy/include/ > > admin apps build.conf global_tunables.xml > > kernel.xml roles services support system.xml > > admin.xml apps.xml global_booleans.xml kernel > > Makefile roles.xml services.xml system > > > > Any pointer of probable aspect which can cause such error as I am > > trying to understand > > how policy.31 binary is created from individual modules > > > > Thanks , > > Ashish > > > > > > > > > > On Sun, Dec 6, 2020 at 8:59 PM Richard Haines > > wrote: > > > > > > On Sun, 2020-12-06 at 00:49 +0530, Ashish Mishra wrote: > > > > Hi All , > > > > > > > > Good Morning . > > > > > > > > I am following the SELINUX NOTEBOOK & trying the same at my end . > > > > > > > > - The refpolicy modules are copied at > > > > /usr/share/selinux/refpolicy > > > > i can see around 400+ modules there . > > > > But can senior member' s please help me understand how is the > > > > /etc/selinux/refpolicy/policy/policy.31 created using the > > > > modules > > > > available at > > > > /usr/share/selinux > > > > The command i followed : > > > > $ make install-src > > > > $ make conf > > > > $ make load ( tried even $ make install ) > > > > $ make install-headers > > > > > > > > > > Just to be clear (as you didn't state whether the binary policy > > > file > > > was built at all), if you run these commands: > > > > > > mkdir refpol > > > cd refpol > > > git clone https://github.com/SELinuxProject/refpolicy.git > > > Edit build.conf file to requirements (e.g. NAME = refpolicy etc.) > > > make install-src > > > cd /etc/selinux/refpolicy/src/policy > > > make conf > > > make load > > > make install-headers > > > > > > The policy binary file should now be created at: > > > /etc/selinux/refpolicy/policy/policy.31 (or .32 if Fedora 33) > > > True ?? > > > > > > To add a new module (that will rebuild the binary policy file) you > > > can > > > install the new *.te *.if and *.fc files in a directory and run > > > from > > > that directory (you will need to ensure /etc/selinux/config has > > > SELINUXTYPE=refpolicy set): > > > > > > make -f /usr/share/selinux/refpolicy/include/Makefile load > > > > > > This Makefile basically reads the build.conf file, uses checkmodule > > > to > > > build the *.pp file, then semodule to add to store and build the > > > binary > > > policy (also using the prebuilt /usr/share/selinux/refpolicy/*.pp > > > files). > > > > > > I've just tried this on Fedora 33 with no problems. > > > > > > Note: While running through example this I noticed an error in the > > > Notebook - the Reference policy does not have a contibute section, > > > I'll > > > send patch to remove: > > > > > > Add the contibuted modules (policy/modules/contrib) > > > git submodule init > > > git submodule update > > > > > > > > > > > - This can help me to debug an issue where i am trying to get > > > > selinux > > > > of my custom > > > > distro where all the make command are successfully executed > > > > but > > > > the policy.31 > > > > is not getting created > > > > > > > > - I can even see the "include" folder also getting created for > > > > make > > > > install-headers > > > > > > > > Any pointers will be helpful or please let me know if i am > > > > missing > > > > any > > > > aspect here . > > > > > > > > Thanks , > > > > Ashish. > > > > > > > >