Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp1824408pxu; Sun, 6 Dec 2020 08:32:12 -0800 (PST) X-Google-Smtp-Source: ABdhPJyOBTo++vmFbfTMSFo/pwN2LvdrR3JOPvUNXXd135R1UUofWsCOlTcTmgHEcfiJR9Og005S X-Received: by 2002:a17:906:d8a1:: with SMTP id qc1mr15243930ejb.294.1607272332734; Sun, 06 Dec 2020 08:32:12 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1607272332; cv=none; d=google.com; s=arc-20160816; b=wBk9QuiNN4L/uE0Iij6pVhpJ9uFshTrDkxmaSA9WeeJrUkd8s3+wO+4dWRivZLxPNi 6b6d5bHrBWbldKOTbdi/a/ZfR58ORA8xwG6SFERy3Z2R9NlJVm0wWoKAHfOsEwlyWBjK b4zYXyqj6jhVw4VbnUdlRQ7z558VjjtT89aXJGW5ONQSp3jweeuXOkLQk9olIFChyGEJ FqUuB/+EgePW9glWVD7rNApQtSgQsyCtiFrUFyv6TqVlP8JBius4JXbBbxC2i+uZ4XKk 6i0QYrS849W/MOfdUk2V+COJBLXT5WM2mc1Ib0o6k27oUHHlrwBPC5tFhRQG5f8v97S4 gSZg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=KybOmhft39OWzeCGqsCVIYAiznSxa7vSi3FRvFCdLms=; b=vLRtagzc5PqddPvT1yAl2gQDT/6CW7c3fNg75H1+4koPx3twQCptMeRc2nb0l7Stca b3orqlXbULlok3Cyw+xjOKcXf4MfYC6UvG7jVUeL0uqRdhB6AIIa7/jyrWa8RVpZIDMz pXNEjqc3hutjKsSPBYseW5TNS/2CoSFWdOVPNF34H54Bmz7h39XC800WeitVl9Ww6Eug 5W1HJB57qb+bC9GSN/HyzVrYmR0duvpipRB8IQMzHBY6TkNm8bq4skk5CkX5QaMY8kp3 jNouhr/RAVcDbKGXxo3xUaqtvrLru90PBPNT1PEPUpdYBMSSP5qZ3UO5QjGyY9r7hHan r75g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@mvista-com.20150623.gappssmtp.com header.s=20150623 header.b=uSQL1cYC; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id c3si7012473edm.45.2020.12.06.08.32.06; Sun, 06 Dec 2020 08:32:12 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@mvista-com.20150623.gappssmtp.com header.s=20150623 header.b=uSQL1cYC; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726609AbgLFQby (ORCPT + 16 others); Sun, 6 Dec 2020 11:31:54 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35484 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726342AbgLFQbx (ORCPT ); Sun, 6 Dec 2020 11:31:53 -0500 Received: from mail-wm1-x334.google.com (mail-wm1-x334.google.com [IPv6:2a00:1450:4864:20::334]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2B93FC0613D0 for ; Sun, 6 Dec 2020 08:31:13 -0800 (PST) Received: by mail-wm1-x334.google.com with SMTP id v14so9481299wml.1 for ; Sun, 06 Dec 2020 08:31:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KybOmhft39OWzeCGqsCVIYAiznSxa7vSi3FRvFCdLms=; b=uSQL1cYCHA8pb0IBZ4nw7SBhsbZ8DfEODC6OBBGCwvNIbAYTzBMuH/EWggViySFX49 gNZVXhG8CiVluVUYrvGvgN5GvoHBa8bgSRmqrZS1yOB5RDxRc6ZXpEBwS1+1EGrF6zHv KnQlY4zqKm1HtIv5DgEMkiasOZkU6BklYd1MMbNjN4ieePcw0K5aVahSa8VOkOs9jTKT SoR27LBjmGeNpocr8MIV0sscyfYKpxUd39QA5npkW36g3PdG8y068PwGvfaxX0paSIIZ dWTryTi2FIuR8nnbDf3MxKvjl7fBpv67EVd6+wUEFos6OknOkovBlKrYqQDh+7u7xRpW IY1Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KybOmhft39OWzeCGqsCVIYAiznSxa7vSi3FRvFCdLms=; b=HxCmoWCHu64zs+qp4GglVaI5Ee7858RSxEzQIK1AP312QngbyB76Faardx9nAVjbmj vESH4CidI8vwzRB3zwzdevcSXmSOxdLwLelDO9f7Z87vIleN6rQK3dLEbfc7MNRr/DXt I0J/FdYBUzvgYs/d7y0TYSzYSU+T+EN5oiwWDemwkHESmcZBD4ksuE/iW1Hht/R4f4W1 KkRLGpgeVi9RxRmvI4Gtb7ppQ9UVuIAF44uJUkvkn8EKAKXkNVhrseg+Fc/MUYLsflMP S+Z3KfQh+ndk5zCDwq5xwHovtl2y9UrrneExbwp0FiIcdrS9CWJPtf9TAj1AcEbnYvoM VRBA== X-Gm-Message-State: AOAM532wpzBjTfiBQ/rZacPuOkzKYULz1q3ExUFVrqmy1z75d+5/t6Cb MyGafmiE/6Y5MRGCyo0oY++5DvJ6f4vzCgTUzOKn/A== X-Received: by 2002:a05:600c:2188:: with SMTP id e8mr14232893wme.99.1607272270549; Sun, 06 Dec 2020 08:31:10 -0800 (PST) MIME-Version: 1.0 References: <858c9383f7c75e1e39bafaeab6388cd6af902c4f.camel@btinternet.com> In-Reply-To: <858c9383f7c75e1e39bafaeab6388cd6af902c4f.camel@btinternet.com> From: Ashish Mishra Date: Sun, 6 Dec 2020 22:00:59 +0530 Message-ID: Subject: Re: How is policy.31 created from modules under /usr/share/selinux To: Richard Haines Cc: selinux-refpolicy@vger.kernel.org, Paul Moore , SElinux list Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Hi Richard , Thanks for replying back. 1) The policy.31 binary is not getting created at: /etc/selinux/refpolicy/policy/policy.31 2) Using the verbose of makefile I can see that the semodule command is reached . But even in verbose mode , I can't see any action / command message shown for policy.31 being created. Hence I am trying to understand how the final policy.31 file is being created . 3) Below are the files being created under /etc/selinux : refpolicy/contexts: customizable_types default_type initrc_context removable_context userhelper_context virtual_image_context dbus_contexts failsafe_context lxc_contexts securetty_types users x_contexts default_contexts files openrc_contexts sepgsql_contexts virtual_domain_context refpolicy/policy: refpolicy/src: policy 4) Below are the files being created under /usr/share/selinux/refpolicy/include/ admin apps build.conf global_tunables.xml kernel.xml roles services support system.xml admin.xml apps.xml global_booleans.xml kernel Makefile roles.xml services.xml system Any pointer of probable aspect which can cause such error as I am trying to understand how policy.31 binary is created from individual modules Thanks , Ashish On Sun, Dec 6, 2020 at 8:59 PM Richard Haines wrote: > > On Sun, 2020-12-06 at 00:49 +0530, Ashish Mishra wrote: > > Hi All , > > > > Good Morning . > > > > I am following the SELINUX NOTEBOOK & trying the same at my end . > > > > - The refpolicy modules are copied at /usr/share/selinux/refpolicy > > i can see around 400+ modules there . > > But can senior member' s please help me understand how is the > > /etc/selinux/refpolicy/policy/policy.31 created using the modules > > available at > > /usr/share/selinux > > The command i followed : > > $ make install-src > > $ make conf > > $ make load ( tried even $ make install ) > > $ make install-headers > > > > Just to be clear (as you didn't state whether the binary policy file > was built at all), if you run these commands: > > mkdir refpol > cd refpol > git clone https://github.com/SELinuxProject/refpolicy.git > Edit build.conf file to requirements (e.g. NAME = refpolicy etc.) > make install-src > cd /etc/selinux/refpolicy/src/policy > make conf > make load > make install-headers > > The policy binary file should now be created at: > /etc/selinux/refpolicy/policy/policy.31 (or .32 if Fedora 33) > True ?? > > To add a new module (that will rebuild the binary policy file) you can > install the new *.te *.if and *.fc files in a directory and run from > that directory (you will need to ensure /etc/selinux/config has > SELINUXTYPE=refpolicy set): > > make -f /usr/share/selinux/refpolicy/include/Makefile load > > This Makefile basically reads the build.conf file, uses checkmodule to > build the *.pp file, then semodule to add to store and build the binary > policy (also using the prebuilt /usr/share/selinux/refpolicy/*.pp > files). > > I've just tried this on Fedora 33 with no problems. > > Note: While running through example this I noticed an error in the > Notebook - the Reference policy does not have a contibute section, I'll > send patch to remove: > > Add the contibuted modules (policy/modules/contrib) > git submodule init > git submodule update > > > > > - This can help me to debug an issue where i am trying to get selinux > > of my custom > > distro where all the make command are successfully executed but > > the policy.31 > > is not getting created > > > > - I can even see the "include" folder also getting created for make > > install-headers > > > > Any pointers will be helpful or please let me know if i am missing > > any > > aspect here . > > > > Thanks , > > Ashish. > >