Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp1908135pxu; Fri, 18 Dec 2020 00:25:13 -0800 (PST) X-Google-Smtp-Source: ABdhPJweTq13P5nW9g5pzXLRvguxICqJicMEuyhFpGn1ufFaNq5Q1APlHwQjbYbGBWFWa/ysXDZT X-Received: by 2002:a17:906:aec6:: with SMTP id me6mr2868780ejb.542.1608279912892; Fri, 18 Dec 2020 00:25:12 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608279912; cv=none; d=google.com; s=arc-20160816; b=X9SBwm2w1trww2SOj/Bf3Y/Y2OIsSiQeg1Y6oA7d+4wylV0V3HX3g5ELO7RyNEmFDG 2rWEOHeVwBp/SuRWnEWAqJgedaqRzB8+BPD9Nv30C2+3sLicFKYim+B/zMMUeO6pFmGh JgmKDWVP5J/FPfAF+9SpnBqgV6SdGb768sL6akAbtjew5Xh34xYMKeg+jUFL0sef0sQQ RWoR2+a8ZMJ1LtH7WZjpu2ZQ0rSBUNPe8DxD0aSfzG/F1xTX3UTtVzeFpfZ/z80tj4TB ErDjbDa+tkBM2d4bCxVlSFsOVCx4ikJEke/a0Kw488FX5wNAFhOrg00sNozS0VHax8fG L9OQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:date:cc:to:from:subject :message-id:dkim-signature; bh=0P9Csq1FkCErpaSy2yAfZdIfEvKTnJr1QhU7u4tsnWg=; b=neV1fjh3xP1DIR/tI9IlN0xY/Y/DyT0UlUWatrKe0a1lZsj+370RsxwDnVqIpAK83h io6BI3wD3M+6fCTz7L0xxyM2Q2OFc3SRC8+3si7hAk44/7ib7u+GXlv3fpc2EjJ+TM+Q E1A4O3fz+JPPNWLzJtsfAxUpgEFGwejcopgVEhptBbL/5cEyOxeRSDz5+NtmJaixu8Yl fmU/wRomRDtxMRI/EbbQM3MybSXbU50H0KNlmKNQslLtUhxu86wpYZy0UMi3PTjvVSjO cYg9XY0Zsi24Xekafo5W8+PXWC+jk/vSxil3FtwxUcW8oA2rEp1ig/uolg31EWJW99mp +pqQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@btinternet.com header.s=btmx201904 header.b=ZgBWO6K7; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=btinternet.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id gs12si4043690ejb.87.2020.12.18.00.25.04; Fri, 18 Dec 2020 00:25:12 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@btinternet.com header.s=btmx201904 header.b=ZgBWO6K7; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=btinternet.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732916AbgLRIYs (ORCPT + 18 others); Fri, 18 Dec 2020 03:24:48 -0500 Received: from mailomta18-sa.btinternet.com ([213.120.69.24]:52357 "EHLO sa-prd-fep-045.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725895AbgLRIYs (ORCPT ); Fri, 18 Dec 2020 03:24:48 -0500 Received: from sa-prd-rgout-002.btmx-prd.synchronoss.net ([10.2.38.5]) by sa-prd-fep-045.btinternet.com with ESMTP id <20201206152940.WMMX32244.sa-prd-fep-045.btinternet.com@sa-prd-rgout-002.btmx-prd.synchronoss.net>; Sun, 6 Dec 2020 15:29:40 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1607268580; bh=0P9Csq1FkCErpaSy2yAfZdIfEvKTnJr1QhU7u4tsnWg=; h=Message-ID:Subject:From:To:Cc:Date:In-Reply-To:References:MIME-Version; b=ZgBWO6K7623ArwqYx9qWjtnDoDJtkjoySuBjgXS6zDMtom+mlyFbkIvzbrd4tO5a0md87sCE3G5wlDT66IsLGVPkb9/vqRtTmbqwKhb1gru17NJ/90yU8ZUB/KfRn8e5wLlQ43lM3nqzoojmraH9aVDrWg50h5o+YgPfXIo8Yw+Dhuj7JCtYmRFC6hHkBrKDi+bprKmTxU8Jgdz/1KM+f+00jtiS6b1UTAW3tPk0+eHO8P7ij7uzHIzL7bA24QdW9YE6pUOPCxjefjtVvATIgO9RRAP+pDTjKiBzViK9yOOEUjJNmSQqrkp466m89sRpEM1ohJs3una36p+7QPan0g== Authentication-Results: btinternet.com; auth=pass (LOGIN) smtp.auth=richard_c_haines@btinternet.com X-SNCR-Rigid: 5ED9AA6E1D8EA84B X-Originating-IP: [86.183.114.64] X-OWM-Source-IP: 86.183.114.64 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgedujedrudejvddgjeejucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpefkuffhvfffjghftggfggfgsehtkeertddtreejnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpedvieduhfdvjeetffejledvuedvhefgffelgffhfeelgeeijeejleekleejjefhvdenucffohhmrghinhepghhithhhuhgsrdgtohhmnecukfhppeekiedrudekfedruddugedrieegnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghloheplgduledvrdduieekrddurdduleekngdpihhnvghtpeekiedrudekfedruddugedrieegpdhmrghilhhfrhhomhepoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqecuuefqffgjpeekuefkvffokffogfdprhgtphhtthhopeeorghshhhishhhmhesmhhvihhsthgrrdgtohhmqedprhgtphhtthhopeeophgruhhlsehprghulhdqmhhoohhrvgdrtghomheqpdhrtghpthhtohepoehsvghlihhnuhigqdhrvghfphholhhitgihsehvghgvrhdrkhgvrhhnvghlrdhorhhgqedprhgtphhtthhopeeoshgv lhhinhhugiesvhhgvghrrdhkvghrnhgvlhdrohhrgheq X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from [192.168.1.198] (86.183.114.64) by sa-prd-rgout-002.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com) id 5ED9AA6E1D8EA84B; Sun, 6 Dec 2020 15:29:39 +0000 Message-ID: <858c9383f7c75e1e39bafaeab6388cd6af902c4f.camel@btinternet.com> Subject: Re: How is policy.31 created from modules under /usr/share/selinux From: Richard Haines To: Ashish Mishra Cc: selinux-refpolicy@vger.kernel.org, Paul Moore , SElinux list Date: Sun, 06 Dec 2020 15:29:32 +0000 In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.38.1 (3.38.1-1.fc33) MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On Sun, 2020-12-06 at 00:49 +0530, Ashish Mishra wrote: > Hi All  , > > Good Morning . > > I am following the SELINUX NOTEBOOK & trying the same at my end . > > - The refpolicy modules are copied at /usr/share/selinux/refpolicy >    i can see around 400+ modules there . >    But can senior member' s please help me understand how is the >    /etc/selinux/refpolicy/policy/policy.31  created using the modules > available at >    /usr/share/selinux >    The command i followed : >                 $ make install-src >                 $ make conf >                 $ make load ( tried even $ make install ) >                 $ make install-headers > Just to be clear (as you didn't state whether the binary policy file was built at all), if you run these commands: mkdir refpol cd refpol git clone https://github.com/SELinuxProject/refpolicy.git Edit build.conf file to requirements (e.g. NAME = refpolicy etc.) make install-src cd /etc/selinux/refpolicy/src/policy make conf make load make install-headers The policy binary file should now be created at: /etc/selinux/refpolicy/policy/policy.31 (or .32 if Fedora 33) True ?? To add a new module (that will rebuild the binary policy file) you can install the new *.te *.if and *.fc files in a directory and run from that directory (you will need to ensure /etc/selinux/config has SELINUXTYPE=refpolicy set): make -f /usr/share/selinux/refpolicy/include/Makefile load This Makefile basically reads the build.conf file, uses checkmodule to build the *.pp file, then semodule to add to store and build the binary policy (also using the prebuilt /usr/share/selinux/refpolicy/*.pp files). I've just tried this on Fedora 33 with no problems. Note: While running through example this I noticed an error in the Notebook - the Reference policy does not have a contibute section, I'll send patch to remove: Add the contibuted modules (policy/modules/contrib) git submodule init git submodule update > > - This can help me to debug an issue where i am trying to get selinux > of my custom >    distro where all the make command are successfully executed but > the policy.31 >    is not getting created > > - I can even see the "include" folder also getting created for make > install-headers > > Any pointers will be helpful or please let me know if i am missing > any > aspect here . > > Thanks , > Ashish.