Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp1847681pxu; Sun, 6 Dec 2020 09:17:24 -0800 (PST) X-Google-Smtp-Source: ABdhPJzs98D7Q7cM6vPUzNc4rXZ7JR6okP9bXJNgU81IwFXG0AHuV4gf4ZWtGy8bzNXYPqXotKI8 X-Received: by 2002:a17:906:e28c:: with SMTP id gg12mr16305447ejb.74.1607275044667; Sun, 06 Dec 2020 09:17:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1607275044; cv=none; d=google.com; s=arc-20160816; b=DbF/c4XNDaH5oELMRcXRZ+QFJj2goPlocsdmQqFW45hlE3mZQ8i+enWuUEtF2ojphs BGtyKzwHloknoNG7rIB5w3Ic/vtsVGZx15LTN2gA5YV//WrFdZ850JX5JPwr3i8iVW/5 FVIP7qqHctC440KbIMfduZqCT32SPg3zAn6DV38anIm0hzRRE/nOAscnHJh6SOm4m9p6 Y+FGONqUNy2a5rj5/3rv4Dk4CDrfi9UOzVPNyUbJUtSJcQUcYyvyByi2eDWE5uwgEZCT grMmZP3+wAaPLkZk0wBJ24y/olsoYhUm+e5/rXTosvSViFq3d48fQgSe3Me5hhCbAML3 zWsw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:date:cc:to:from:subject :message-id:dkim-signature; bh=RAAbkhFgb0x9S/IS8jL6h6/4g4d1h01s1edFXYH5FwQ=; b=OfrJtR0mcdEKjDIOX3eJetiVuHlWuxIFG9f1/Wgm+vbOZK1LJ/fYgObHePyqTIhaHE zWF2gkH5mAMSwFOXYl/efTgH94GswGJ0Xoued6of16pM9X8cDH2KgL0WCRTEH/8KEFRj lWOSV71Lm6ykRNChQyjjheqa6sOy3q1IGaRy/peEFDESwzkJppw5u43x7qaHY43TyzRz Vbsg/1KRuFKGUhjDRbyHbQZZyydUerTrFTzXnrQxufcUKEpuVinUUdkKzBQK0zS4TRPx dwy/QAKSlb41dN6s3OdLlHSpkTRwV7p//l8GswpN7foypFoS49nscg/zoR8eIeZ7NZy3 mJyg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@btinternet.com header.s=btmx201904 header.b=iCGp3B+g; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=btinternet.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d8si6439346edm.404.2020.12.06.09.17.19; Sun, 06 Dec 2020 09:17:24 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@btinternet.com header.s=btmx201904 header.b=iCGp3B+g; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=btinternet.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726981AbgLFRQJ (ORCPT + 16 others); Sun, 6 Dec 2020 12:16:09 -0500 Received: from mailomta31-re.btinternet.com ([213.120.69.124]:48562 "EHLO re-prd-fep-044.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726043AbgLFRQJ (ORCPT ); Sun, 6 Dec 2020 12:16:09 -0500 X-Greylist: delayed 6345 seconds by postgrey-1.27 at vger.kernel.org; Sun, 06 Dec 2020 12:16:06 EST Received: from re-prd-rgout-004.btmx-prd.synchronoss.net ([10.2.54.7]) by re-prd-fep-044.btinternet.com with ESMTP id <20201206171524.EJAL29010.re-prd-fep-044.btinternet.com@re-prd-rgout-004.btmx-prd.synchronoss.net>; Sun, 6 Dec 2020 17:15:24 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1607274924; bh=RAAbkhFgb0x9S/IS8jL6h6/4g4d1h01s1edFXYH5FwQ=; h=Message-ID:Subject:From:To:Cc:Date:In-Reply-To:References:MIME-Version; b=iCGp3B+gqHYDP9Gyk6s2mkKRof8oDgxwyu3X4uMONdZq9u/QzHBlglf2JwTzobm5Wpwv3f2fsHoiRphVu19aHTmwfY60rRE+4jz3p3jFaZl6e74a/oV2ANQSMXyUgS4M3y8SpS20KuHg1njB2qQ7QqC43LeguHDlHQ4fcBAhUyK4s0diQ6bSEAh/QeB2H8q9eyj4xvWJkCvBeJiy/eQ+JLziIweXGyYtafJIFiBWh4gZ/mwN6G5W0fLUrLzfjVmxG/vUG6gpHd4cCo86F0i6dgoUUwsVnBx72Kns0Hvxpqb5n2xCwOBnSxCq4QF/ErHxjyJw+CGTTd2YYNiTjgmerw== Authentication-Results: btinternet.com; auth=pass (LOGIN) smtp.auth=richard_c_haines@btinternet.com X-SNCR-Rigid: 5ED9C5061D5A96A0 X-Originating-IP: [86.183.114.64] X-OWM-Source-IP: 86.183.114.64 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgedujedrudejvddguddttdcutefuodetggdotefrodftvfcurfhrohhfihhlvgemuceutffkvffkuffjvffgnffgvefqofdpqfgfvfenuceurghilhhouhhtmecufedtudenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhepkffuhffvffgjfhgtfggggfesthekredttderjeenucfhrhhomheptfhitghhrghrugcujfgrihhnvghsuceorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqnecuggftrfgrthhtvghrnhepvdeiudfhvdejteffjeelvdeuvdehgffflefghfefleegieejjeelkeeljeejhfdvnecuffhomhgrihhnpehgihhthhhusgdrtghomhenucfkphepkeeirddukeefrdduudegrdeigeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhephhgvlhhopegludelvddrudeikedruddrudelkegnpdhinhgvthepkeeirddukeefrdduudegrdeigedpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhequceuqfffjgepkeeukffvoffkoffgpdhrtghpthhtohepoegrshhhihhshhhmsehmvhhishhtrgdrtghomheqpdhrtghpthhtohepoehprghulhesphgruhhlqdhmohhorhgvrdgtohhmqedprhgtphhtthhopeeoshgvlhhinhhugidqrhgvfhhpohhlihgthiesvhhgvghrrdhkvghrnhgvlhdrohhrgheqpdhrtghpthhtohepoehs vghlihhnuhigsehvghgvrhdrkhgvrhhnvghlrdhorhhgqe X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from [192.168.1.198] (86.183.114.64) by re-prd-rgout-004.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com) id 5ED9C5061D5A96A0; Sun, 6 Dec 2020 17:15:24 +0000 Message-ID: Subject: Re: How is policy.31 created from modules under /usr/share/selinux From: Richard Haines To: Ashish Mishra Cc: selinux-refpolicy@vger.kernel.org, Paul Moore , SElinux list Date: Sun, 06 Dec 2020 17:15:24 +0000 In-Reply-To: References: <858c9383f7c75e1e39bafaeab6388cd6af902c4f.camel@btinternet.com> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.38.1 (3.38.1-1.fc33) MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On Sun, 2020-12-06 at 22:00 +0530, Ashish Mishra wrote: > Hi Richard , > > Thanks for replying back. > > 1) The policy.31 binary is not getting  created at: >   /etc/selinux/refpolicy/policy/policy.31 > > 2) Using the verbose of makefile I can see that the semodule command > is reached . >    But even in verbose mode , I can't see any action / command > message >    shown for policy.31 being created. >    Hence I am trying to understand how the final policy.31 file is > being created . You will not see a reference to 'policy.31' when running semodule. It just takes the large list of modules and its store id, the rest is magic (the default name is 'policy', the version is derived from the policy-version= entry in the semanage.conf file or the kernel default). It then adds the policy binary file to: /etc/selinux//policy/policy. Where is the policy store id that should match the /etc/selinux/config SELINUXTYPE= entry when loading the policy. For example when I run 'make -d load' I see (cutdown): Loading configured modules. /usr/sbin/semodule -s refpolicy -i /usr/share/selinux/refpolicy/base.pp -i /usr/share/selinux/refpolicy/abrt.pp ...... BTW what distro/version are you using as I use Fedora 33 that by default generates an '/etc/selinux/refpolicy/policy/policy.32' binary file. > > 3) Below are the files being created under /etc/selinux : >    refpolicy/contexts: >    customizable_types  default_type      initrc_context > removable_context  userhelper_context      virtual_image_context >    dbus_contexts       failsafe_context  lxc_contexts > securetty_types    users                   x_contexts >    default_contexts    files             openrc_contexts > sepgsql_contexts   virtual_domain_context > >    refpolicy/policy: My initial thought is that 'make load' is not being called or something is wrong with 'https://github.com/SELinuxProject/selinux' installation > >    refpolicy/src: >    policy > > > 4) Below are the files being created under Are there any *.pp files under: /usr/share/selinux/refpolicy If not again looks like 'https://github.com/SELinuxProject/selinux' installation problem checkpolicy/checkmodule ?? > /usr/share/selinux/refpolicy/include/ >    admin      apps      build.conf           global_tunables.xml > kernel.xml  roles      services      support  system.xml >    admin.xml  apps.xml  global_booleans.xml  kernel > Makefile    roles.xml  services.xml  system > > Any pointer of probable aspect which can cause such error as I am > trying to understand > how policy.31 binary is created from individual modules > > Thanks , > Ashish > > > > > On Sun, Dec 6, 2020 at 8:59 PM Richard Haines > wrote: > > > > On Sun, 2020-12-06 at 00:49 +0530, Ashish Mishra wrote: > > > Hi All  , > > > > > > Good Morning . > > > > > > I am following the SELINUX NOTEBOOK & trying the same at my end . > > > > > > - The refpolicy modules are copied at > > > /usr/share/selinux/refpolicy > > >    i can see around 400+ modules there . > > >    But can senior member' s please help me understand how is the > > >    /etc/selinux/refpolicy/policy/policy.31  created using the > > > modules > > > available at > > >    /usr/share/selinux > > >    The command i followed : > > >                 $ make install-src > > >                 $ make conf > > >                 $ make load ( tried even $ make install ) > > >                 $ make install-headers > > > > > > > Just to be clear (as you didn't state whether the binary policy > > file > > was built at all), if you run these commands: > > > > mkdir refpol > > cd refpol > > git clone https://github.com/SELinuxProject/refpolicy.git > > Edit build.conf file to requirements (e.g. NAME = refpolicy etc.) > > make install-src > > cd /etc/selinux/refpolicy/src/policy > > make conf > > make load > > make install-headers > > > > The policy binary file should now be created at: > >   /etc/selinux/refpolicy/policy/policy.31 (or .32 if Fedora 33) > > True ?? > > > > To add a new module (that will rebuild the binary policy file) you > > can > > install the new *.te *.if and *.fc files in a directory and run > > from > > that directory (you will need to ensure /etc/selinux/config has > > SELINUXTYPE=refpolicy set): > > > > make -f /usr/share/selinux/refpolicy/include/Makefile load > > > > This Makefile basically reads the build.conf file, uses checkmodule > > to > > build the *.pp file, then semodule to add to store and build the > > binary > > policy (also using the prebuilt /usr/share/selinux/refpolicy/*.pp > > files). > > > > I've just tried this on Fedora 33 with no problems. > > > > Note: While running through example this I noticed an error in the > > Notebook - the Reference policy does not have a contibute section, > > I'll > > send patch to remove: > > > > Add the contibuted modules (policy/modules/contrib) > > git submodule init > > git submodule update > > > > > > > > - This can help me to debug an issue where i am trying to get > > > selinux > > > of my custom > > >    distro where all the make command are successfully executed > > > but > > > the policy.31 > > >    is not getting created > > > > > > - I can even see the "include" folder also getting created for > > > make > > > install-headers > > > > > > Any pointers will be helpful or please let me know if i am > > > missing > > > any > > > aspect here . > > > > > > Thanks , > > > Ashish. > > > >