I'm on Ubuntu 16.04 and I've just compiled the reference policy via:
git clone https://github.com/TresysTechnology/refpolicy.git
cd refpolicy
git submodule init
git submodule update
git checkout RELEASE_2_20161023
( cd policy/modules/contrib && git checkout RELEASE_2_20161023 )
make conf
make install
My build.conf looks like this:
TYPE = standard
NAME = refpolicy
DISTRO = debian
UNK_PERMS = deny
DIRECT_INITRC = n
SYSTEMD = y
MONOLITHIC = n
UBAC = y
CUSTOM_BUILDOPT =
MLS_SENS = 16
MLS_CATS = 1024
MCS_CATS = 1024
QUIET = n
Pretty normal stuff.
Unfortunately, though it properly loads at the time of "make install,"
it isn't installed into the expected directory by my distro.
Apparently, Ubuntu wants the binary files to be located at
/etc/selinux/$NAME. The upstream "selinux-policy-default" package
installs its dependencies to /etc/selinux/default and its contents can
be viewed here: http://pastebin.com/8fXvdFUA
Is there a variable I need to set to have the reference policy install
itself/copy its files following this pattern to
/etc/selinux/refpolicy?
Did you follow the guide? https://github.com/TresysTechnology/refpolicy/wiki/UseRefpolicy
And i think semanage requires the -S switch to operate on a non loaded policy store:
-S, --store
Select and alternate SELinux store to manage
-thomas
Am 17. Januar 2017 05:24:40 MEZ schrieb Naftuli Kay via refpolicy <[email protected]>:
>I'm on Ubuntu 16.04 and I've just compiled the reference policy via:
>
>git clone https://github.com/TresysTechnology/refpolicy.git
>cd refpolicy
>git submodule init
>git submodule update
>git checkout RELEASE_2_20161023
>( cd policy/modules/contrib && git checkout RELEASE_2_20161023 )
>make conf
>make install
>
>My build.conf looks like this:
>
>TYPE = standard
>NAME = refpolicy
>DISTRO = debian
>UNK_PERMS = deny
>DIRECT_INITRC = n
>SYSTEMD = y
>MONOLITHIC = n
>UBAC = y
>CUSTOM_BUILDOPT =
>MLS_SENS = 16
>MLS_CATS = 1024
>MCS_CATS = 1024
>QUIET = n
>
>Pretty normal stuff.
>
>Unfortunately, though it properly loads at the time of "make install,"
>it isn't installed into the expected directory by my distro.
>Apparently, Ubuntu wants the binary files to be located at
>/etc/selinux/$NAME. The upstream "selinux-policy-default" package
>installs its dependencies to /etc/selinux/default and its contents can
>be viewed here: http://pastebin.com/8fXvdFUA
>
>Is there a variable I need to set to have the reference policy install
>itself/copy its files following this pattern to
>/etc/selinux/refpolicy?
>_______________________________________________
>refpolicy mailing list
>refpolicy at oss.tresys.com
>http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20170117/3333b8d0/attachment.html
I have not, I was unfortunately not aware of it. Following instructions now.
Thanks,
- Naftuli Kay
On Mon, Jan 16, 2017 at 9:05 PM, Thomas <[email protected]> wrote:
> Did you follow the guide?
> https://github.com/TresysTechnology/refpolicy/wiki/UseRefpolicy
>
> And i think semanage requires the -S switch to operate on a non loaded
> policy store:
>
> -S, --store
> Select and alternate SELinux store to manage
>
> -thomas
>
> Am 17. Januar 2017 05:24:40 MEZ schrieb Naftuli Kay via refpolicy
> <[email protected]>:
>>
>> I'm on Ubuntu 16.04 and I've just compiled the reference policy via:
>>
>> git clone https://github.com/TresysTechnology/refpolicy.git
>> cd refpolicy
>> git submodule init
>> git submodule update
>> git checkout RELEASE_2_20161023
>> ( cd policy/modules/contrib && git checkout RELEASE_2_20161023 )
>> make conf
>> make install
>>
>> My build.conf looks like this:
>>
>> TYPE = standard
>> NAME = refpolicy
>> DISTRO = debian
>> UNK_PERMS = deny
>> DIRECT_INITRC = n
>> SYSTEMD = y
>> MONOLITHIC = n
>> UBAC = y
>> CUSTOM_BUILDOPT =
>> MLS_SENS = 16
>> MLS_CATS = 1024
>> MCS_CATS = 1024
>> QUIET = n
>>
>> Pretty normal stuff.
>>
>> Unfortunately, though it properly loads at the time of "make install,"
>> it isn't installed into the expected directory by my distro.
>> Apparently, Ubuntu wants the binary files to be located at
>> /etc/selinux/$NAME. The upstream "selinux-policy-default" package
>> installs its dependencies to /etc/selinux/default and its contents can
>> be viewed here: http://pastebin.com/8fXvdFUA
>>
>> Is there a variable I need to set to have the reference policy install
>> itself/copy its files following this pattern to
>> /etc/selinux/refpolicy?
>> ________________________________
>>
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
I have followed the given instructions and I still don't have my
policy installed in the right place:
cd /etc/selinux/refpolicy/src/policy
make clean
make bare
make conf
make install
Compare output of tree -L 2 /etc/selinux/default: http://pastebin.com/vwtbrjfY
with output of tree -L 2 /etc/selinux/refpolicy: http://pastebin.com/aDUCEzq0
Thanks,
- Naftuli Kay
On Tue, Jan 17, 2017 at 10:09 AM, Naftuli Kay <[email protected]> wrote:
> I have not, I was unfortunately not aware of it. Following instructions now.
> Thanks,
> - Naftuli Kay
>
>
> On Mon, Jan 16, 2017 at 9:05 PM, Thomas <[email protected]> wrote:
>> Did you follow the guide?
>> https://github.com/TresysTechnology/refpolicy/wiki/UseRefpolicy
>>
>> And i think semanage requires the -S switch to operate on a non loaded
>> policy store:
>>
>> -S, --store
>> Select and alternate SELinux store to manage
>>
>> -thomas
>>
>> Am 17. Januar 2017 05:24:40 MEZ schrieb Naftuli Kay via refpolicy
>> <[email protected]>:
>>>
>>> I'm on Ubuntu 16.04 and I've just compiled the reference policy via:
>>>
>>> git clone https://github.com/TresysTechnology/refpolicy.git
>>> cd refpolicy
>>> git submodule init
>>> git submodule update
>>> git checkout RELEASE_2_20161023
>>> ( cd policy/modules/contrib && git checkout RELEASE_2_20161023 )
>>> make conf
>>> make install
>>>
>>> My build.conf looks like this:
>>>
>>> TYPE = standard
>>> NAME = refpolicy
>>> DISTRO = debian
>>> UNK_PERMS = deny
>>> DIRECT_INITRC = n
>>> SYSTEMD = y
>>> MONOLITHIC = n
>>> UBAC = y
>>> CUSTOM_BUILDOPT =
>>> MLS_SENS = 16
>>> MLS_CATS = 1024
>>> MCS_CATS = 1024
>>> QUIET = n
>>>
>>> Pretty normal stuff.
>>>
>>> Unfortunately, though it properly loads at the time of "make install,"
>>> it isn't installed into the expected directory by my distro.
>>> Apparently, Ubuntu wants the binary files to be located at
>>> /etc/selinux/$NAME. The upstream "selinux-policy-default" package
>>> installs its dependencies to /etc/selinux/default and its contents can
>>> be viewed here: http://pastebin.com/8fXvdFUA
>>>
>>> Is there a variable I need to set to have the reference policy install
>>> itself/copy its files following this pattern to
>>> /etc/selinux/refpolicy?
>>> ________________________________
>>>
>>> refpolicy mailing list
>>> refpolicy at oss.tresys.com
>>> http://oss.tresys.com/mailman/listinfo/refpolicy
Hello.
If you do "make conf" before "make install" it will override the configuration that you have previously created (including the name of the policy and therefore its location).
Try the following sequence from the top-level directory where you have the policy source (for example as checked out from git or extracted from a release):
make clean
make conf
edit build.conf to suit your needs (including the name of the policy, for example "refpolicy")
make install-src
make policy
make install
edit /etc/selinux/config to select the new policy
make load
That is it. The next time you build it, don't issue "make conf" again, it is just to get an initial build configuration file.
I hope it helps.
Regards,
Guido
On the 17th of January 2017 19:21:09 CET, Naftuli Kay via refpolicy <[email protected]> wrote:
>I have followed the given instructions and I still don't have my
>policy installed in the right place:
>
>cd /etc/selinux/refpolicy/src/policy
>make clean
>make bare
>make conf
>make install
>
>Compare output of tree -L 2 /etc/selinux/default:
>http://pastebin.com/vwtbrjfY
>
>with output of tree -L 2 /etc/selinux/refpolicy:
>http://pastebin.com/aDUCEzq0
>Thanks,
> - Naftuli Kay
>
>
>On Tue, Jan 17, 2017 at 10:09 AM, Naftuli Kay <[email protected]>
>wrote:
>> I have not, I was unfortunately not aware of it. Following
>instructions now.
>> Thanks,
>> - Naftuli Kay
>>
>>
>> On Mon, Jan 16, 2017 at 9:05 PM, Thomas <[email protected]>
>wrote:
>>> Did you follow the guide?
>>> https://github.com/TresysTechnology/refpolicy/wiki/UseRefpolicy
>>>
>>> And i think semanage requires the -S switch to operate on a non
>loaded
>>> policy store:
>>>
>>> -S, --store
>>> Select and alternate SELinux store to manage
>>>
>>> -thomas
>>>
>>> Am 17. Januar 2017 05:24:40 MEZ schrieb Naftuli Kay via refpolicy
>>> <[email protected]>:
>>>>
>>>> I'm on Ubuntu 16.04 and I've just compiled the reference policy
>via:
>>>>
>>>> git clone https://github.com/TresysTechnology/refpolicy.git
>>>> cd refpolicy
>>>> git submodule init
>>>> git submodule update
>>>> git checkout RELEASE_2_20161023
>>>> ( cd policy/modules/contrib && git checkout RELEASE_2_20161023 )
>>>> make conf
>>>> make install
>>>>
>>>> My build.conf looks like this:
>>>>
>>>> TYPE = standard
>>>> NAME = refpolicy
>>>> DISTRO = debian
>>>> UNK_PERMS = deny
>>>> DIRECT_INITRC = n
>>>> SYSTEMD = y
>>>> MONOLITHIC = n
>>>> UBAC = y
>>>> CUSTOM_BUILDOPT =
>>>> MLS_SENS = 16
>>>> MLS_CATS = 1024
>>>> MCS_CATS = 1024
>>>> QUIET = n
>>>>
>>>> Pretty normal stuff.
>>>>
>>>> Unfortunately, though it properly loads at the time of "make
>install,"
>>>> it isn't installed into the expected directory by my distro.
>>>> Apparently, Ubuntu wants the binary files to be located at
>>>> /etc/selinux/$NAME. The upstream "selinux-policy-default" package
>>>> installs its dependencies to /etc/selinux/default and its contents
>can
>>>> be viewed here: http://pastebin.com/8fXvdFUA
>>>>
>>>> Is there a variable I need to set to have the reference policy
>install
>>>> itself/copy its files following this pattern to
>>>> /etc/selinux/refpolicy?
>>>> ________________________________
>>>>
>>>> refpolicy mailing list
>>>> refpolicy at oss.tresys.com
>>>> http://oss.tresys.com/mailman/listinfo/refpolicy
>_______________________________________________
>refpolicy mailing list
>refpolicy at oss.tresys.com
>http://oss.tresys.com/mailman/listinfo/refpolicy
Okay, so again to reiterate, I am on elementary Loki, which is Ubuntu
16.04. I have installed all build dependencies and I have cloned the
Git repository to a local directory at
~/Documents/Development/refpolicy.
I have made sure that both the top-level Git repository (refpolicy)
and the refpolicy-contrib submodule are both up to date with latest
master from GitHub.
Following Guido's guidance, I did the following:
cd ~/Documents/Development/refpolicy
make clean
make conf
I then edited build.conf to enable systemd, because that is my init
here on 16.04. I did not make any other modifications, the policy name
is refpolicy and the type is standard.
I then ran:
$ sudo make install-src
rm -rf /etc/selinux/refpolicy/src/policy.old
mv /etc/selinux/refpolicy/src/policy /etc/selinux/refpolicy/src/policy.old
mv: cannot stat '/etc/selinux/refpolicy/src/policy': No such file or directory
Makefile:551: recipe for target 'install-src' failed
make: [install-src] Error 1 (ignored)
mkdir -p /etc/selinux/refpolicy/src/policy
cp -R . /etc/selinux/refpolicy/src/policy
$ sudo make install-src
rm -rf /etc/selinux/refpolicy/src/policy.old
mv /etc/selinux/refpolicy/src/policy /etc/selinux/refpolicy/src/policy.old
mkdir -p /etc/selinux/refpolicy/src/policy
cp -R . /etc/selinux/refpolicy/src/policy
The first time, as shown, errored, and the second time seemed to work.
I then ran:
make policy
sudo make install
It compiled all of the modules and it seems that it installed
everything to /usr/share/selinux/refpolicy, rather than
/etc/selinux/refpolicy, which it seems is what my distribution
expects.
I then ran
sudo make load
It failed with:
/usr/sbin/semodule: SELinux policy is not managed or store cannot be accessed.
There is a lot of debugging output which I have listed here:
https://gist.github.com/naftulikay/3c24fc7a1d63f26c3e401f6ed5a1f8b5
There are multiple files describing the contents of
/usr/share/selinux/refpolicy, /etc/selinux/refpolicy, my kernel
command line, and more.
I'm not sure what I'm doing wrong, but I may setup a 16.04 Vagrant VM
project to see if I can iterate on this to know exactly the steps that
need to be taken to get things to work.
Thanks,
- Naftuli Kay
On Tue, Jan 17, 2017 at 3:11 PM, Guido Trentalancia via refpolicy
<[email protected]> wrote:
> Hello.
>
> If you do "make conf" before "make install" it will override the configuration that you have previously created (including the name of the policy and therefore its location).
>
> Try the following sequence from the top-level directory where you have the policy source (for example as checked out from git or extracted from a release):
>
> make clean
> make conf
>
> edit build.conf to suit your needs (including the name of the policy, for example "refpolicy")
>
> make install-src
> make policy
> make install
>
> edit /etc/selinux/config to select the new policy
>
> make load
>
> That is it. The next time you build it, don't issue "make conf" again, it is just to get an initial build configuration file.
>
> I hope it helps.
>
> Regards,
>
> Guido
>
> On the 17th of January 2017 19:21:09 CET, Naftuli Kay via refpolicy <[email protected]> wrote:
>>I have followed the given instructions and I still don't have my
>>policy installed in the right place:
>>
>>cd /etc/selinux/refpolicy/src/policy
>>make clean
>>make bare
>>make conf
>>make install
>>
>>Compare output of tree -L 2 /etc/selinux/default:
>>http://pastebin.com/vwtbrjfY
>>
>>with output of tree -L 2 /etc/selinux/refpolicy:
>>http://pastebin.com/aDUCEzq0
>>Thanks,
>> - Naftuli Kay
>>
>>
>>On Tue, Jan 17, 2017 at 10:09 AM, Naftuli Kay <[email protected]>
>>wrote:
>>> I have not, I was unfortunately not aware of it. Following
>>instructions now.
>>> Thanks,
>>> - Naftuli Kay
>>>
>>>
>>> On Mon, Jan 16, 2017 at 9:05 PM, Thomas <[email protected]>
>>wrote:
>>>> Did you follow the guide?
>>>> https://github.com/TresysTechnology/refpolicy/wiki/UseRefpolicy
>>>>
>>>> And i think semanage requires the -S switch to operate on a non
>>loaded
>>>> policy store:
>>>>
>>>> -S, --store
>>>> Select and alternate SELinux store to manage
>>>>
>>>> -thomas
>>>>
>>>> Am 17. Januar 2017 05:24:40 MEZ schrieb Naftuli Kay via refpolicy
>>>> <[email protected]>:
>>>>>
>>>>> I'm on Ubuntu 16.04 and I've just compiled the reference policy
>>via:
>>>>>
>>>>> git clone https://github.com/TresysTechnology/refpolicy.git
>>>>> cd refpolicy
>>>>> git submodule init
>>>>> git submodule update
>>>>> git checkout RELEASE_2_20161023
>>>>> ( cd policy/modules/contrib && git checkout RELEASE_2_20161023 )
>>>>> make conf
>>>>> make install
>>>>>
>>>>> My build.conf looks like this:
>>>>>
>>>>> TYPE = standard
>>>>> NAME = refpolicy
>>>>> DISTRO = debian
>>>>> UNK_PERMS = deny
>>>>> DIRECT_INITRC = n
>>>>> SYSTEMD = y
>>>>> MONOLITHIC = n
>>>>> UBAC = y
>>>>> CUSTOM_BUILDOPT =
>>>>> MLS_SENS = 16
>>>>> MLS_CATS = 1024
>>>>> MCS_CATS = 1024
>>>>> QUIET = n
>>>>>
>>>>> Pretty normal stuff.
>>>>>
>>>>> Unfortunately, though it properly loads at the time of "make
>>install,"
>>>>> it isn't installed into the expected directory by my distro.
>>>>> Apparently, Ubuntu wants the binary files to be located at
>>>>> /etc/selinux/$NAME. The upstream "selinux-policy-default" package
>>>>> installs its dependencies to /etc/selinux/default and its contents
>>can
>>>>> be viewed here: http://pastebin.com/8fXvdFUA
>>>>>
>>>>> Is there a variable I need to set to have the reference policy
>>install
>>>>> itself/copy its files following this pattern to
>>>>> /etc/selinux/refpolicy?
>>>>> ________________________________
>>>>>
>>>>> refpolicy mailing list
>>>>> refpolicy at oss.tresys.com
>>>>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>_______________________________________________
>>refpolicy mailing list
>>refpolicy at oss.tresys.com
>>http://oss.tresys.com/mailman/listinfo/refpolicy
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
Hello again.
First thing, if you meet problems again after trying the following
advice, then it is probably a good idea to rename your new policy (the
one that you build), so that you can distinguish from the default
policy installed from your distribution (otherwise there is no
difference other than the timestamp).
On Sun, 29/01/2017 at 11.14 -0800, Naftuli Kay wrote:
> Okay, so again to reiterate, I am on elementary Loki, which is Ubuntu
> 16.04. I have installed all build dependencies and I have cloned the
> Git repository to a local directory at
> ~/Documents/Development/refpolicy.
>
> I have made sure that both the top-level Git repository (refpolicy)
> and the refpolicy-contrib submodule are both up to date with latest
> master from GitHub.
>
> Following Guido's guidance, I did the following:
>
> cd ~/Documents/Development/refpolicy
> make clean
> make conf
>
> I then edited build.conf to enable systemd, because that is my init
> here on 16.04. I did not make any other modifications, the policy
> name
> is refpolicy and the type is standard.
>
> I then ran:
>
> $ sudo make install-src
> rm -rf /etc/selinux/refpolicy/src/policy.old
> mv /etc/selinux/refpolicy/src/policy
> /etc/selinux/refpolicy/src/policy.old
> mv: cannot stat '/etc/selinux/refpolicy/src/policy': No such file or
> directory
> Makefile:551: recipe for target 'install-src' failed
> make: [install-src] Error 1 (ignored)
> mkdir -p /etc/selinux/refpolicy/src/policy
> cp -R . /etc/selinux/refpolicy/src/policy
>
> $ sudo make install-src
> rm -rf /etc/selinux/refpolicy/src/policy.old
> mv /etc/selinux/refpolicy/src/policy
> /etc/selinux/refpolicy/src/policy.old
> mkdir -p /etc/selinux/refpolicy/src/policy
> cp -R . /etc/selinux/refpolicy/src/policy
>
> The first time, as shown, errored, and the second time seemed to
> work.
That is normal.
> I then ran:
>
> make policy
> sudo make install
>
> It compiled all of the modules and it seems that it installed
> everything to /usr/share/selinux/refpolicy, rather than
> /etc/selinux/refpolicy, which it seems is what my distribution
> expects.
>
> I then ran
>
> sudo make load
>
> It failed with:
>
> /usr/sbin/semodule: SELinux policy is not managed or store cannot be
> accessed.
Perhaps, the policy that is currently loaded (from your distribution)
uses a different directory to store the policy itself and therefore
doesn't let you load the new policy from a different directory...
In that case, you can try temporarily disabling SELinux by switching
from "enforcing" mode to "permissive" mode, then load the new policy
and finally switch back to SELinux "enforcing" mode:
# setenforce 0
# sudo make load
# setenforce 1
If you are still experiecing problems, try "make load" as root instead
of sudo.
I hope this helps...
Regards,
Guido
Consider you also have to relabel the filesystem, ideally after
installing and before loading a new policy:
# make relabel
Of course, this is not related to the error that you reported, but
doing so will prevent further problems once you have finally managed to
load the new policy...
Regards,
Guido
On Sun, 29/01/2017 at 21.29 +0100, Guido Trentalancia via refpolicy
wrote:
> Hello again.
>
> First thing, if you meet problems again after trying the following
> advice, then it is probably a good idea to rename your new policy
> (the
> one that you build), so that you can distinguish from the default
> policy installed from your distribution (otherwise there is no
> difference other than the timestamp).
>
> On Sun, 29/01/2017 at 11.14 -0800, Naftuli Kay wrote:
> >
> > Okay, so again to reiterate, I am on elementary Loki, which is
> > Ubuntu
> > 16.04. I have installed all build dependencies and I have cloned
> > the
> > Git repository to a local directory at
> > ~/Documents/Development/refpolicy.
> >
> > I have made sure that both the top-level Git repository (refpolicy)
> > and the refpolicy-contrib submodule are both up to date with latest
> > master from GitHub.
> >
> > Following Guido's guidance, I did the following:
> >
> > cd ~/Documents/Development/refpolicy
> > make clean
> > make conf
> >
> > I then edited build.conf to enable systemd, because that is my init
> > here on 16.04. I did not make any other modifications, the policy
> > name
> > is refpolicy and the type is standard.
> >
> > I then ran:
> >
> > $ sudo make install-src
> > rm -rf /etc/selinux/refpolicy/src/policy.old
> > mv /etc/selinux/refpolicy/src/policy
> > /etc/selinux/refpolicy/src/policy.old
> > mv: cannot stat '/etc/selinux/refpolicy/src/policy': No such file
> > or
> > directory
> > Makefile:551: recipe for target 'install-src' failed
> > make: [install-src] Error 1 (ignored)
> > mkdir -p /etc/selinux/refpolicy/src/policy
> > cp -R . /etc/selinux/refpolicy/src/policy
> >
> > $ sudo make install-src
> > rm -rf /etc/selinux/refpolicy/src/policy.old
> > mv /etc/selinux/refpolicy/src/policy
> > /etc/selinux/refpolicy/src/policy.old
> > mkdir -p /etc/selinux/refpolicy/src/policy
> > cp -R . /etc/selinux/refpolicy/src/policy
> >
> > The first time, as shown, errored, and the second time seemed to
> > work.
>
> That is normal.
>
> >
> > I then ran:
> >
> > make policy
> > sudo make install
> >
> > It compiled all of the modules and it seems that it installed
> > everything to /usr/share/selinux/refpolicy, rather than
> > /etc/selinux/refpolicy, which it seems is what my distribution
> > expects.
> >
> > I then ran
> >
> > sudo make load
> >
> > It failed with:
> >
> > /usr/sbin/semodule: SELinux policy is not managed or store cannot
> > be
> > accessed.
>
> Perhaps, the policy that is currently loaded (from your distribution)
> uses a different directory to store the policy itself and therefore
> doesn't let you load the new policy from a different directory...
>
> In that case, you can try temporarily disabling SELinux by switching
> from "enforcing" mode to "permissive" mode, then load the new policy
> and finally switch back to SELinux "enforcing" mode:
>
> # setenforce 0
> # sudo make load
> # setenforce 1
>
> If you are still experiecing problems, try "make load" as root
> instead
> of sudo.
>
> I hope this helps...
>
> Regards,
>
> Guido
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
This message contains confidential information intended only for the use
of the addressee(s). If you are not the intended recipient, please
contact the sender by return e-mail and destroy all copies of the
original message.
On Sun, 29/01/2017 at 11.14 -0800, Naftuli Kay wrote:
> Okay, so again to reiterate, I am on elementary Loki, which is Ubuntu
> 16.04. I have installed all build dependencies and I have cloned the
> Git repository to a local directory at
> ~/Documents/Development/refpolicy.
>
> I have made sure that both the top-level Git repository (refpolicy)
> and the refpolicy-contrib submodule are both up to date with latest
> master from GitHub.
>
> Following Guido's guidance, I did the following:
>
> cd ~/Documents/Development/refpolicy
> make clean
> make conf
>
> I then edited build.conf to enable systemd, because that is my init
> here on 16.04. I did not make any other modifications, the policy
> name
> is refpolicy and the type is standard.
>
> I then ran:
>
> $ sudo make install-src
> rm -rf /etc/selinux/refpolicy/src/policy.old
> mv /etc/selinux/refpolicy/src/policy
> /etc/selinux/refpolicy/src/policy.old
> mv: cannot stat '/etc/selinux/refpolicy/src/policy': No such file or
> directory
> Makefile:551: recipe for target 'install-src' failed
> make: [install-src] Error 1 (ignored)
> mkdir -p /etc/selinux/refpolicy/src/policy
> cp -R . /etc/selinux/refpolicy/src/policy
>
> $ sudo make install-src
> rm -rf /etc/selinux/refpolicy/src/policy.old
> mv /etc/selinux/refpolicy/src/policy
> /etc/selinux/refpolicy/src/policy.old
> mkdir -p /etc/selinux/refpolicy/src/policy
> cp -R . /etc/selinux/refpolicy/src/policy
>
> The first time, as shown, errored, and the second time seemed to
> work.
>
> I then ran:
>
> make policy
> sudo make install
>
> It compiled all of the modules and it seems that it installed
> everything to /usr/share/selinux/refpolicy, rather than
> /etc/selinux/refpolicy, which it seems is what my distribution
> expects.
>
> I then ran
>
> sudo make load
>
> It failed with:
>
> /usr/sbin/semodule: SELinux policy is not managed or store cannot be
> accessed.
>
> There is a lot of debugging output which I have listed here:
> https://gist.github.com/naftulikay/3c24fc7a1d63f26c3e401f6ed5a1f8b5
After looking more carefully at the files that have been installed on
your system, I realize that you are missing the actual binary policy.
It's a file named "policy.29" or "policy.30" and that goes in
/etc/selinux/refpolicy. It should be generated during "make policy",
but you have not mentioned about errors during that build stage...
In the development tree, it is located top-
level:?~/Documents/Development/refpolicy/policy.29
or?~/Documents/Development/refpolicy/policy.30
Without more information, I don't know why you are missing that...
It should be generated by checkpolicy. Do you have checkpolicy
installed ? Try typing "checkpolicy -V".
Regards,
Guido
Guido,
naftuli at reprisal:~$ checkpolicy -V
29 (compatibility range 29-15)
naftuli at reprisal:~$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 30
This is when I have configured the default policy in
/etc/selinux/config. This is provided by Ubuntu upstream
selinux-policy-default.
As noted before, please compare the following:
https://gist.github.com/naftulikay/ac03e45ea7c66bd3537e41eac0e3d40f
As you have noted, there is no binary policy file installed in the
correct directory for refpolicy, and there is for default.
If I run a `find . -iname 'policy.*'` in my refpolicy source
directory, I find no binary policy files. How should I go about
correcting this?
Thanks,
- Naftuli Kay
On Sun, Jan 29, 2017 at 2:43 PM, Guido Trentalancia via refpolicy
<[email protected]> wrote:
> On Sun, 29/01/2017 at 11.14 -0800, Naftuli Kay wrote:
>> Okay, so again to reiterate, I am on elementary Loki, which is Ubuntu
>> 16.04. I have installed all build dependencies and I have cloned the
>> Git repository to a local directory at
>> ~/Documents/Development/refpolicy.
>>
>> I have made sure that both the top-level Git repository (refpolicy)
>> and the refpolicy-contrib submodule are both up to date with latest
>> master from GitHub.
>>
>> Following Guido's guidance, I did the following:
>>
>> cd ~/Documents/Development/refpolicy
>> make clean
>> make conf
>>
>> I then edited build.conf to enable systemd, because that is my init
>> here on 16.04. I did not make any other modifications, the policy
>> name
>> is refpolicy and the type is standard.
>>
>> I then ran:
>>
>> $ sudo make install-src
>> rm -rf /etc/selinux/refpolicy/src/policy.old
>> mv /etc/selinux/refpolicy/src/policy
>> /etc/selinux/refpolicy/src/policy.old
>> mv: cannot stat '/etc/selinux/refpolicy/src/policy': No such file or
>> directory
>> Makefile:551: recipe for target 'install-src' failed
>> make: [install-src] Error 1 (ignored)
>> mkdir -p /etc/selinux/refpolicy/src/policy
>> cp -R . /etc/selinux/refpolicy/src/policy
>>
>> $ sudo make install-src
>> rm -rf /etc/selinux/refpolicy/src/policy.old
>> mv /etc/selinux/refpolicy/src/policy
>> /etc/selinux/refpolicy/src/policy.old
>> mkdir -p /etc/selinux/refpolicy/src/policy
>> cp -R . /etc/selinux/refpolicy/src/policy
>>
>> The first time, as shown, errored, and the second time seemed to
>> work.
>>
>> I then ran:
>>
>> make policy
>> sudo make install
>>
>> It compiled all of the modules and it seems that it installed
>> everything to /usr/share/selinux/refpolicy, rather than
>> /etc/selinux/refpolicy, which it seems is what my distribution
>> expects.
>>
>> I then ran
>>
>> sudo make load
>>
>> It failed with:
>>
>> /usr/sbin/semodule: SELinux policy is not managed or store cannot be
>> accessed.
>>
>> There is a lot of debugging output which I have listed here:
>> https://gist.github.com/naftulikay/3c24fc7a1d63f26c3e401f6ed5a1f8b5
>
> After looking more carefully at the files that have been installed on
> your system, I realize that you are missing the actual binary policy.
>
> It's a file named "policy.29" or "policy.30" and that goes in
> /etc/selinux/refpolicy. It should be generated during "make policy",
> but you have not mentioned about errors during that build stage...
>
> In the development tree, it is located top-
> level: ~/Documents/Development/refpolicy/policy.29
> or ~/Documents/Development/refpolicy/policy.30
>
> Without more information, I don't know why you are missing that...
>
> It should be generated by checkpolicy. Do you have checkpolicy
> installed ? Try typing "checkpolicy -V".
>
> Regards,
>
> Guido
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
Hello again.
On Mon, 16/01/2017 at 20.24 -0800, Naftuli Kay via refpolicy wrote:
> I'm on Ubuntu 16.04 and I've just compiled the reference policy via:
>
> git clone https://github.com/TresysTechnology/refpolicy.git
> cd refpolicy
> git submodule init
> git submodule update
> git checkout RELEASE_2_20161023
> ( cd policy/modules/contrib && git checkout RELEASE_2_20161023 )
> make conf
> make install
>
> My build.conf looks like this:
>
> TYPE = standard
> NAME = refpolicy
> DISTRO = debian
> UNK_PERMS = deny
> DIRECT_INITRC = n
> SYSTEMD = y
> MONOLITHIC = n
> UBAC = y
> CUSTOM_BUILDOPT =
> MLS_SENS = 16
> MLS_CATS = 1024
> MCS_CATS = 1024
> QUIET = n
>
> Pretty normal stuff.
>
> Unfortunately, though it properly loads at the time of "make
> install,"
> it isn't installed into the expected directory by my distro.
You shouldn't worry about the installation directory. The path that is
being used should be fine. Part of the policy goes under /etc/selinux
and part goes under /usr/share/selinux.
> Apparently, Ubuntu wants the binary files to be located at
> /etc/selinux/$NAME. The upstream "selinux-policy-default" package
> installs its dependencies to /etc/selinux/default and its contents
> can
> be viewed here: http://pastebin.com/8fXvdFUA
>
> Is there a variable I need to set to have the reference policy
> install
> itself/copy its files following this pattern to
> /etc/selinux/refpolicy?
The problem is that your "make load" build step fails, as far as I
remember, and that is why you are not getting the policy.29 file in
/etc/selinux/refpolicy.
Can you try changing the TYPE of the policy in build.conf from
"standard" to "mcs" and perform all the build steps again ?
Also, please perform the build steps from the development directory
located in your home and not on the installation subdirectory of
/etc/selinux/refpolicy.
Regards,
Guido
On Mon, 30/01/2017 at 21.55 +0100, Guido Trentalancia via refpolicy
wrote:
> Hello again.
>
> On Mon, 16/01/2017 at 20.24 -0800, Naftuli Kay via refpolicy wrote:
> >
> > I'm on Ubuntu 16.04 and I've just compiled the reference policy
> > via:
> >
> > git clone https://github.com/TresysTechnology/refpolicy.git
> > cd refpolicy
> > git submodule init
> > git submodule update
> > git checkout RELEASE_2_20161023
> > ( cd policy/modules/contrib && git checkout RELEASE_2_20161023 )
> > make conf
> > make install
> >
> > My build.conf looks like this:
> >
> > TYPE = standard
> > NAME = refpolicy
> > DISTRO = debian
> > UNK_PERMS = deny
> > DIRECT_INITRC = n
> > SYSTEMD = y
> > MONOLITHIC = n
> > UBAC = y
> > CUSTOM_BUILDOPT =
> > MLS_SENS = 16
> > MLS_CATS = 1024
> > MCS_CATS = 1024
> > QUIET = n
> >
> > Pretty normal stuff.
> >
> > Unfortunately, though it properly loads at the time of "make
> > install,"
> > it isn't installed into the expected directory by my distro.
>
> You shouldn't worry about the installation directory. The path that
> is
> being used should be fine. Part of the policy goes under /etc/selinux
> and part goes under /usr/share/selinux.
>
> >
> > Apparently, Ubuntu wants the binary files to be located at
> > /etc/selinux/$NAME. The upstream "selinux-policy-default" package
> > installs its dependencies to /etc/selinux/default and its contents
> > can
> > be viewed here: http://pastebin.com/8fXvdFUA
> >
> > Is there a variable I need to set to have the reference policy
> > install
> > itself/copy its files following this pattern to
> > /etc/selinux/refpolicy?
>
> The problem is that your "make load" build step fails, as far as I
> remember, and that is why you are not getting the policy.29 file in
> /etc/selinux/refpolicy.
>
> Can you try changing the TYPE of the policy in build.conf from
> "standard" to "mcs" and perform all the build steps again ?
>
> Also, please perform the build steps from the development directory
> located in your home and not on the installation subdirectory of
> /etc/selinux/refpolicy.
In addition to using "mcs" instead of "standard" as the policy type,
you should revert the following patch if you are using the SELinux
tools which comes with Ubuntu:
commit 1e0561caed7b90469c037a91ff4739dc24a2de54
Author: Guido Trentalancia <[email protected]>
Date:???Fri Sep 2 12:58:42 2016 +0200
Avoid using deprecated semodule options (-b or --base) during "make
load".
Signed-off-by: Guido Trentalancia <[email protected]>
---
Rules.modular | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- refpolicy-git-06082016-orig/Rules.modular 2016-08-06 21:26:43.257773849 +0200
+++ refpolicy-git-06082016/Rules.modular 2016-09-02 12:36:07.214247080 +0200
@@ -55,7 +55,7 @@ load: $(instpkg) $(appfiles)
# created by semanage
@echo "Loading configured modules."
@$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath))
- $(verbose) $(SEMODULE) -s $(NAME) -b $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod))
+ $(verbose) $(SEMODULE) -s $(NAME) -i $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod))
########################################
#
I have reverted that and I think that it is finally running as
expected, but I'm getting more errors:
Can not stat: /etc/selinux/refpolicy/contexts/files/file_contexts.local:
No such file or directory
libsemanage.sefcontext_compile: sefcontext_compile returned error code
1. Compiling /etc/selinux/refpolicy/contexts/files/file_contexts.local
libsemanage.semanage_install_active: Could not copy
/etc/selinux/refpolicy/modules/active/file_contexts.homedirs to
/etc/selinux/refpolicy/contexts/files/file_contexts.homedirs. (No such
file or directory).
/usr/sbin/semodule: Failed!
Rules.modular:56: recipe for target 'load' failed
make: *** [load] Error 1
However, refpolicy is FINALLY loaded:
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: refpolicy
Current mode: permissive
Mode from config file: permissive
Policy MLS status: disabled
Policy deny_unknown status: denied
Max kernel policy version: 30
Hooray! How can I fix these other build problems? I'm on the latest
stable release: 2.20170204.
If these are simply Makefile issues, I might patch in to cover the
Ubuntu edge-case of semodule -b.
Thanks,
- Naftuli Kay
On Tue, Jan 31, 2017 at 6:19 AM, Guido Trentalancia via refpolicy
<[email protected]> wrote:
> On Mon, 30/01/2017 at 21.55 +0100, Guido Trentalancia via refpolicy
> wrote:
>> Hello again.
>>
>> On Mon, 16/01/2017 at 20.24 -0800, Naftuli Kay via refpolicy wrote:
>> >
>> > I'm on Ubuntu 16.04 and I've just compiled the reference policy
>> > via:
>> >
>> > git clone https://github.com/TresysTechnology/refpolicy.git
>> > cd refpolicy
>> > git submodule init
>> > git submodule update
>> > git checkout RELEASE_2_20161023
>> > ( cd policy/modules/contrib && git checkout RELEASE_2_20161023 )
>> > make conf
>> > make install
>> >
>> > My build.conf looks like this:
>> >
>> > TYPE = standard
>> > NAME = refpolicy
>> > DISTRO = debian
>> > UNK_PERMS = deny
>> > DIRECT_INITRC = n
>> > SYSTEMD = y
>> > MONOLITHIC = n
>> > UBAC = y
>> > CUSTOM_BUILDOPT =
>> > MLS_SENS = 16
>> > MLS_CATS = 1024
>> > MCS_CATS = 1024
>> > QUIET = n
>> >
>> > Pretty normal stuff.
>> >
>> > Unfortunately, though it properly loads at the time of "make
>> > install,"
>> > it isn't installed into the expected directory by my distro.
>>
>> You shouldn't worry about the installation directory. The path that
>> is
>> being used should be fine. Part of the policy goes under /etc/selinux
>> and part goes under /usr/share/selinux.
>>
>> >
>> > Apparently, Ubuntu wants the binary files to be located at
>> > /etc/selinux/$NAME. The upstream "selinux-policy-default" package
>> > installs its dependencies to /etc/selinux/default and its contents
>> > can
>> > be viewed here: http://pastebin.com/8fXvdFUA
>> >
>> > Is there a variable I need to set to have the reference policy
>> > install
>> > itself/copy its files following this pattern to
>> > /etc/selinux/refpolicy?
>>
>> The problem is that your "make load" build step fails, as far as I
>> remember, and that is why you are not getting the policy.29 file in
>> /etc/selinux/refpolicy.
>>
>> Can you try changing the TYPE of the policy in build.conf from
>> "standard" to "mcs" and perform all the build steps again ?
>>
>> Also, please perform the build steps from the development directory
>> located in your home and not on the installation subdirectory of
>> /etc/selinux/refpolicy.
>
> In addition to using "mcs" instead of "standard" as the policy type,
> you should revert the following patch if you are using the SELinux
> tools which comes with Ubuntu:
>
> commit 1e0561caed7b90469c037a91ff4739dc24a2de54
> Author: Guido Trentalancia <[email protected]>
> Date: Fri Sep 2 12:58:42 2016 +0200
>
> Avoid using deprecated semodule options (-b or --base) during "make
> load".
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> Rules.modular | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> --- refpolicy-git-06082016-orig/Rules.modular 2016-08-06 21:26:43.257773849 +0200
> +++ refpolicy-git-06082016/Rules.modular 2016-09-02 12:36:07.214247080 +0200
> @@ -55,7 +55,7 @@ load: $(instpkg) $(appfiles)
> # created by semanage
> @echo "Loading configured modules."
> @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath))
> - $(verbose) $(SEMODULE) -s $(NAME) -b $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod))
> + $(verbose) $(SEMODULE) -s $(NAME) -i $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod))
>
> ########################################
> #
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
Hello.
You have surely done well to revert the patch that I told you, because the SELinux tools that you are using are based on an obsolete syntax.
However, I believe that your policy has not been loaded, because of the additional errors that you quoted.
The sestatus tool is just a very simple program that reads your SELinux configuration file and prints out the name of the policy that you have configured there... It is very limited.
What matters is that semodule failed to load your new policy.
It might be due to obsolete or incompatible versions of the tools and the libraries. Either you spend time to fully debug the problem or you try the latest SELinux tools and libraries.
I hope this helps.
Regards,
Guido
On the 6th of February 2017 04:53:30 CET, Naftuli Kay <[email protected]> wrote:
>I have reverted that and I think that it is finally running as
>expected, but I'm getting more errors:
>
>Can not stat:
>/etc/selinux/refpolicy/contexts/files/file_contexts.local:
>No such file or directory
>libsemanage.sefcontext_compile: sefcontext_compile returned error code
>1. Compiling /etc/selinux/refpolicy/contexts/files/file_contexts.local
>libsemanage.semanage_install_active: Could not copy
>/etc/selinux/refpolicy/modules/active/file_contexts.homedirs to
>/etc/selinux/refpolicy/contexts/files/file_contexts.homedirs. (No such
>file or directory).
>/usr/sbin/semodule: Failed!
>Rules.modular:56: recipe for target 'load' failed
>make: *** [load] Error 1
>
>However, refpolicy is FINALLY loaded:
>
>SELinux status: enabled
>SELinuxfs mount: /sys/fs/selinux
>SELinux root directory: /etc/selinux
>Loaded policy name: refpolicy
>Current mode: permissive
>Mode from config file: permissive
>Policy MLS status: disabled
>Policy deny_unknown status: denied
>Max kernel policy version: 30
>
>Hooray! How can I fix these other build problems? I'm on the latest
>stable release: 2.20170204.
>
>If these are simply Makefile issues, I might patch in to cover the
>Ubuntu edge-case of semodule -b.
>
>Thanks,
> - Naftuli Kay
>
>
>On Tue, Jan 31, 2017 at 6:19 AM, Guido Trentalancia via refpolicy
><[email protected]> wrote:
>> On Mon, 30/01/2017 at 21.55 +0100, Guido Trentalancia via refpolicy
>> wrote:
>>> Hello again.
>>>
>>> On Mon, 16/01/2017 at 20.24 -0800, Naftuli Kay via refpolicy wrote:
>>> >
>>> > I'm on Ubuntu 16.04 and I've just compiled the reference policy
>>> > via:
>>> >
>>> > git clone https://github.com/TresysTechnology/refpolicy.git
>>> > cd refpolicy
>>> > git submodule init
>>> > git submodule update
>>> > git checkout RELEASE_2_20161023
>>> > ( cd policy/modules/contrib && git checkout RELEASE_2_20161023 )
>>> > make conf
>>> > make install
>>> >
>>> > My build.conf looks like this:
>>> >
>>> > TYPE = standard
>>> > NAME = refpolicy
>>> > DISTRO = debian
>>> > UNK_PERMS = deny
>>> > DIRECT_INITRC = n
>>> > SYSTEMD = y
>>> > MONOLITHIC = n
>>> > UBAC = y
>>> > CUSTOM_BUILDOPT =
>>> > MLS_SENS = 16
>>> > MLS_CATS = 1024
>>> > MCS_CATS = 1024
>>> > QUIET = n
>>> >
>>> > Pretty normal stuff.
>>> >
>>> > Unfortunately, though it properly loads at the time of "make
>>> > install,"
>>> > it isn't installed into the expected directory by my distro.
>>>
>>> You shouldn't worry about the installation directory. The path that
>>> is
>>> being used should be fine. Part of the policy goes under
>/etc/selinux
>>> and part goes under /usr/share/selinux.
>>>
>>> >
>>> > Apparently, Ubuntu wants the binary files to be located at
>>> > /etc/selinux/$NAME. The upstream "selinux-policy-default" package
>>> > installs its dependencies to /etc/selinux/default and its contents
>>> > can
>>> > be viewed here: http://pastebin.com/8fXvdFUA
>>> >
>>> > Is there a variable I need to set to have the reference policy
>>> > install
>>> > itself/copy its files following this pattern to
>>> > /etc/selinux/refpolicy?
>>>
>>> The problem is that your "make load" build step fails, as far as I
>>> remember, and that is why you are not getting the policy.29 file in
>>> /etc/selinux/refpolicy.
>>>
>>> Can you try changing the TYPE of the policy in build.conf from
>>> "standard" to "mcs" and perform all the build steps again ?
>>>
>>> Also, please perform the build steps from the development directory
>>> located in your home and not on the installation subdirectory of
>>> /etc/selinux/refpolicy.
>>
>> In addition to using "mcs" instead of "standard" as the policy type,
>> you should revert the following patch if you are using the SELinux
>> tools which comes with Ubuntu:
>>
>> commit 1e0561caed7b90469c037a91ff4739dc24a2de54
>> Author: Guido Trentalancia <[email protected]>
>> Date: Fri Sep 2 12:58:42 2016 +0200
>>
>> Avoid using deprecated semodule options (-b or --base) during "make
>> load".
>>
>> Signed-off-by: Guido Trentalancia <[email protected]>
>> ---
>> Rules.modular | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> --- refpolicy-git-06082016-orig/Rules.modular 2016-08-06
>21:26:43.257773849 +0200
>> +++ refpolicy-git-06082016/Rules.modular 2016-09-02
>12:36:07.214247080 +0200
>> @@ -55,7 +55,7 @@ load: $(instpkg) $(appfiles)
>> # created by semanage
>> @echo "Loading configured modules."
>> @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath))
>> - $(verbose) $(SEMODULE) -s $(NAME) -b $(modpkgdir)/$(notdir
>$(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod))
>> + $(verbose) $(SEMODULE) -s $(NAME) -i $(modpkgdir)/$(notdir
>$(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod))
>>
>> ########################################
>> #
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
Yes, I believe that I'll have to do some work to compile the userspace
utilities and package them for my distribution.
Thanks,
- Naftuli Kay
On Tue, Feb 7, 2017 at 2:52 PM, Guido Trentalancia via refpolicy <
[email protected]> wrote:
> Hello.
>
> You have surely done well to revert the patch that I told you, because the
> SELinux tools that you are using are based on an obsolete syntax.
>
> However, I believe that your policy has not been loaded, because of the
> additional errors that you quoted.
>
> The sestatus tool is just a very simple program that reads your SELinux
> configuration file and prints out the name of the policy that you have
> configured there... It is very limited.
>
> What matters is that semodule failed to load your new policy.
>
> It might be due to obsolete or incompatible versions of the tools and the
> libraries. Either you spend time to fully debug the problem or you try the
> latest SELinux tools and libraries.
>
> I hope this helps.
>
> Regards,
>
> Guido
>
> On the 6th of February 2017 04:53:30 CET, Naftuli Kay <[email protected]>
> wrote:
> >I have reverted that and I think that it is finally running as
> >expected, but I'm getting more errors:
> >
> >Can not stat:
> >/etc/selinux/refpolicy/contexts/files/file_contexts.local:
> >No such file or directory
> >libsemanage.sefcontext_compile: sefcontext_compile returned error code
> >1. Compiling /etc/selinux/refpolicy/contexts/files/file_contexts.local
> >libsemanage.semanage_install_active: Could not copy
> >/etc/selinux/refpolicy/modules/active/file_contexts.homedirs to
> >/etc/selinux/refpolicy/contexts/files/file_contexts.homedirs. (No such
> >file or directory).
> >/usr/sbin/semodule: Failed!
> >Rules.modular:56: recipe for target 'load' failed
> >make: *** [load] Error 1
> >
> >However, refpolicy is FINALLY loaded:
> >
> >SELinux status: enabled
> >SELinuxfs mount: /sys/fs/selinux
> >SELinux root directory: /etc/selinux
> >Loaded policy name: refpolicy
> >Current mode: permissive
> >Mode from config file: permissive
> >Policy MLS status: disabled
> >Policy deny_unknown status: denied
> >Max kernel policy version: 30
> >
> >Hooray! How can I fix these other build problems? I'm on the latest
> >stable release: 2.20170204.
> >
> >If these are simply Makefile issues, I might patch in to cover the
> >Ubuntu edge-case of semodule -b.
> >
> >Thanks,
> > - Naftuli Kay
> >
> >
> >On Tue, Jan 31, 2017 at 6:19 AM, Guido Trentalancia via refpolicy
> ><[email protected]> wrote:
> >> On Mon, 30/01/2017 at 21.55 +0100, Guido Trentalancia via refpolicy
> >> wrote:
> >>> Hello again.
> >>>
> >>> On Mon, 16/01/2017 at 20.24 -0800, Naftuli Kay via refpolicy wrote:
> >>> >
> >>> > I'm on Ubuntu 16.04 and I've just compiled the reference policy
> >>> > via:
> >>> >
> >>> > git clone https://github.com/TresysTechnology/refpolicy.git
> >>> > cd refpolicy
> >>> > git submodule init
> >>> > git submodule update
> >>> > git checkout RELEASE_2_20161023
> >>> > ( cd policy/modules/contrib && git checkout RELEASE_2_20161023 )
> >>> > make conf
> >>> > make install
> >>> >
> >>> > My build.conf looks like this:
> >>> >
> >>> > TYPE = standard
> >>> > NAME = refpolicy
> >>> > DISTRO = debian
> >>> > UNK_PERMS = deny
> >>> > DIRECT_INITRC = n
> >>> > SYSTEMD = y
> >>> > MONOLITHIC = n
> >>> > UBAC = y
> >>> > CUSTOM_BUILDOPT =
> >>> > MLS_SENS = 16
> >>> > MLS_CATS = 1024
> >>> > MCS_CATS = 1024
> >>> > QUIET = n
> >>> >
> >>> > Pretty normal stuff.
> >>> >
> >>> > Unfortunately, though it properly loads at the time of "make
> >>> > install,"
> >>> > it isn't installed into the expected directory by my distro.
> >>>
> >>> You shouldn't worry about the installation directory. The path that
> >>> is
> >>> being used should be fine. Part of the policy goes under
> >/etc/selinux
> >>> and part goes under /usr/share/selinux.
> >>>
> >>> >
> >>> > Apparently, Ubuntu wants the binary files to be located at
> >>> > /etc/selinux/$NAME. The upstream "selinux-policy-default" package
> >>> > installs its dependencies to /etc/selinux/default and its contents
> >>> > can
> >>> > be viewed here: http://pastebin.com/8fXvdFUA
> >>> >
> >>> > Is there a variable I need to set to have the reference policy
> >>> > install
> >>> > itself/copy its files following this pattern to
> >>> > /etc/selinux/refpolicy?
> >>>
> >>> The problem is that your "make load" build step fails, as far as I
> >>> remember, and that is why you are not getting the policy.29 file in
> >>> /etc/selinux/refpolicy.
> >>>
> >>> Can you try changing the TYPE of the policy in build.conf from
> >>> "standard" to "mcs" and perform all the build steps again ?
> >>>
> >>> Also, please perform the build steps from the development directory
> >>> located in your home and not on the installation subdirectory of
> >>> /etc/selinux/refpolicy.
> >>
> >> In addition to using "mcs" instead of "standard" as the policy type,
> >> you should revert the following patch if you are using the SELinux
> >> tools which comes with Ubuntu:
> >>
> >> commit 1e0561caed7b90469c037a91ff4739dc24a2de54
> >> Author: Guido Trentalancia <[email protected]>
> >> Date: Fri Sep 2 12:58:42 2016 +0200
> >>
> >> Avoid using deprecated semodule options (-b or --base) during "make
> >> load".
> >>
> >> Signed-off-by: Guido Trentalancia <[email protected]>
> >> ---
> >> Rules.modular | 2 +-
> >> 1 file changed, 1 insertion(+), 1 deletion(-)
> >>
> >> --- refpolicy-git-06082016-orig/Rules.modular 2016-08-06
> >21:26:43.257773849 +0200
> >> +++ refpolicy-git-06082016/Rules.modular 2016-09-02
> >12:36:07.214247080 +0200
> >> @@ -55,7 +55,7 @@ load: $(instpkg) $(appfiles)
> >> # created by semanage
> >> @echo "Loading configured modules."
> >> @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath))
> >> - $(verbose) $(SEMODULE) -s $(NAME) -b $(modpkgdir)/$(notdir
> >$(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod))
> >> + $(verbose) $(SEMODULE) -s $(NAME) -i $(modpkgdir)/$(notdir
> >$(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod))
> >>
> >> ########################################
> >> #
> >> _______________________________________________
> >> refpolicy mailing list
> >> refpolicy at oss.tresys.com
> >> http://oss.tresys.com/mailman/listinfo/refpolicy
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20170221/a9b56d8e/attachment.html