From: justinmattock@gmail.com (Justin Mattock) Date: Thu, 11 Jun 2009 10:29:09 -0700 Subject: [refpolicy] problem when compiling svn policy In-Reply-To: References: <1244732999.21565.750.camel@gorn.columbia.tresys.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, Jun 11, 2009 at 9:06 AM, Justin Mattock wrote: > On Thu, Jun 11, 2009 at 8:09 AM, Christopher J. > PeBenito wrote: >> On Wed, 2009-06-10 at 20:26 +0000, Justin Mattock wrote: >>> I seem to be running into an issue while compiling >>> the latest svn(just pulled, Ill test it out for you guys) >>> I see this: >> >> Can you provide more detail as to the build.conf settings? ?I am not >> able to reproduce this. >> >>> make: *** No rule to make target >>> `/etc/selinux/refpolicy/contexts/users/appconfig-standard', needed by >>> `install'. ?Stop. >>> >>> if I copy config/appconfig-standard to /etc/selinux/refpolicy/* >>> then the policy will compile all together. >>> should I just ?wait and pull the policy ?later? >>> >>> Also when doing make relabel I see this: >>> >>> Relabeling filesystem types: ext2 ext3 xfs jfs >>> /sbin/setfiles /etc/selinux/refpolicy/contexts/files/file_contexts / >>> filespec_add: ?conflicting specifications for >>> /usr/lib/glibc/getconf/XBS5_ILP32_OFFBIG and /usr/bin/getconf, using >>> system_u:object_r:bin_t. >>> filespec_add: ?conflicting specifications for >>> /usr/lib/glibc/getconf/POSIX_V7_ILP32_OFF32 and >>> /usr/lib/glibc/getconf/XBS5_ILP32_OFFBIG, using >>> system_u:object_r:bin_t. >>> filespec_add: ?conflicting specifications for >>> /usr/lib/glibc/getconf/POSIX_V6_ILP32_OFFBIG and >>> /usr/lib/glibc/getconf/POSIX_V7_ILP32_OFF32, using >>> system_u:object_r:bin_t. >>> filespec_add: ?conflicting specifications for >>> /usr/lib/glibc/getconf/XBS5_ILP32_OFF32 and >>> /usr/lib/glibc/getconf/POSIX_V6_ILP32_OFFBIG, using >>> system_u:object_r:bin_t. >>> filespec_add: ?conflicting specifications for >>> /usr/lib/glibc/getconf/POSIX_V7_ILP32_OFFBIG and >>> /usr/lib/glibc/getconf/XBS5_ILP32_OFF32, using >>> system_u:object_r:bin_t. >>> filespec_add: ?conflicting specifications for >>> /usr/lib/glibc/getconf/POSIX_V6_ILP32_OFF32 and >>> /usr/lib/glibc/getconf/POSIX_V7_ILP32_OFFBIG, using >>> system_u:object_r:bin_t. >>> filespec_eval: ?hash table stats: 163158 elements, 29863/65536 buckets >>> used, longest chain length 11 >>> >>> should I bee concerned, or is this something still being worked out? >> >> It would seem that /usr/lib/glibc/getconf/XBS5_ILP32_OFFBIG >> and /usr/bin/getconf are hardlinked, which is why there is a conflict >> since they are lib_t and bin_t, respectively. ?Which distribution? >> >> -- >> Chris PeBenito >> Tresys Technology, LLC >> (410) 290-1411 x150 >> >> > > sure, > Below is build.conf > I'm not sure but I think > choosing > DISTRO = redhat > might be causing these build errors. > (The system right now is an LFS system, I chose > redhat due to having /etc/rc.d/init.d/*) > > As for reproducing these build errors: > If I load a fresh policy in my home directory > (choose mcs) then compile then once installing > I get errors(mainly file not found errors). > maybe I have something wrong with the "install" > command. > But If I compile the policy as a standard policy > seems to go through(except yesterday with some > appconfig-standard confusion) > > seems this issue is a bit on and off, almost as if > the system needs to be in a correct state to properly > compile, or maybe because choosing redhat as the distro causes > confusion.(but still am not certain why I'm hitting this). > > build.conf: > > ######################################## > # > # Policy build options > # > > # Policy version > # By default, checkpolicy will create the highest > # version policy it supports. ?Setting this will > # override the version. ?This only has an > # effect for monolithic policies. > OUTPUT_POLICY = 22 > > # Policy Type > # standard, mls, mcs > TYPE = standard > > # Policy Name > # If set, this will be used as the policy > # name. ?Otherwise the policy type will be > # used for the name. > NAME = refpolicy > > # Distribution > # Some distributions have portions of policy > # for programs or configurations specific to the > # distribution. ?Setting this will enable options > # for the distribution. > # redhat, gentoo, debian, suse, and rhel4 are current options. > # Fedora users should enable redhat. > DISTRO = redhat > > # Unknown Permissions Handling > # The behavior for handling permissions defined in the > # kernel but missing from the policy. ?The permissions > # can either be allowed, denied, or the policy loading > # can be rejected. > # allow, deny, and reject are current options. > UNK_PERMS = deny > > # Direct admin init > # Setting this will allow sysadm to directly > # run init scripts, instead of requring run_init. > # This is a build option, as role transitions do > # not work in conditional policy. > DIRECT_INITRC = n > > # Build monolithic policy. ?Putting n here > # will build a loadable module policy. > MONOLITHIC = y > > # User-based access control (UBAC) > # Enable UBAC for role separations. > UBAC = y > > # Number of MLS Sensitivities > # The sensitivities will be s0 to s(MLS_SENS-1). > # Dominance will be in increasing numerical order > # with s0 being lowest. > MLS_SENS = 16 > > # Number of MLS Categories > # The categories will be c0 to c(MLS_CATS-1). > MLS_CATS = 256 > > # Number of MCS Categories > # The categories will be c0 to c(MLS_CATS-1). > MCS_CATS = 256 > > # Set this to y to only display status messages > # during build. > QUIET = n > > As for any other adjustments, only > policy/users(for adding the user) > and default_contexts local_login > for the starting role. > then adding allow rules, and that's it > (I mainly am running the policy as set by you > guys, without any tweaks to it as much as possible). > > I'll go ahead and try and recreate these errors > so you can get an idea of what I'm seeing. > > -- > Justin P. Mattock > This is what I see when using the same build.conf above, except just changing: TYPE = mcs NAME = mcs (then issue the following commands: make clean, make conf, make policy, sudo make install) results: Installing file_contexts. install -m 644 file_contexts /etc/selinux/mcs/contexts/files/file_contexts install -m 644 homedir_template /etc/selinux/mcs/contexts/files/homedir_template python -E support/genhomedircon -d /etc/selinux -t mcs grep: /etc/libuser.conf: No such file or directory You do not have access to /etc/libuser.conf LU_HOMEDIRECTORY= The user "staff_u" is not present in the passwd file, skipping... The user "sysadm_u" is not present in the passwd file, skipping... The user "unconfined_u" is not present in the passwd file, skipping... make: *** No rule to make target `/etc/selinux/mcs/contexts/default_contexts', needed by `install'. Stop. if I do the same above except sudo make install-src make conf make policy sudo make install I see: Installing file_contexts. install -m 644 file_contexts /etc/selinux/mcs/contexts/files/file_contexts install -m 644 homedir_template /etc/selinux/mcs/contexts/files/homedir_template python -E support/genhomedircon -d /etc/selinux -t mcs grep: /etc/libuser.conf: No such file or directory You do not have access to /etc/libuser.conf LU_HOMEDIRECTORY= The user "staff_u" is not present in the passwd file, skipping... The user "sysadm_u" is not present in the passwd file, skipping... The user "unconfined_u" is not present in the passwd file, skipping... make: *** No rule to make target `/etc/selinux/mcs/contexts/default_contexts', needed by `install'. Stop. Now leaving the build.conf the same except for changing DISTRO = redhat to #DISTRO = redhat (make clean, make conf, make policy, sudo make install) Installing file_contexts. install -m 644 file_contexts /etc/selinux/mcs/contexts/files/file_contexts install -m 644 homedir_template /etc/selinux/mcs/contexts/files/homedir_template python -E support/genhomedircon -d /etc/selinux -t mcs grep: /etc/libuser.conf: No such file or directory You do not have access to /etc/libuser.conf LU_HOMEDIRECTORY= The user "staff_u" is not present in the passwd file, skipping... The user "sysadm_u" is not present in the passwd file, skipping... The user "unconfined_u" is not present in the passwd file, skipping... make: *** No rule to make target `/etc/selinux/mcs/contexts/default_contexts', needed by `install'. Stop. Now same as above just adding sudo make install-src before build.conf Installing file_contexts. install -m 644 file_contexts /etc/selinux/mcs/contexts/files/file_contexts install -m 644 homedir_template /etc/selinux/mcs/contexts/files/homedir_template python -E support/genhomedircon -d /etc/selinux -t mcs grep: /etc/libuser.conf: No such file or directory You do not have access to /etc/libuser.conf LU_HOMEDIRECTORY= The user "staff_u" is not present in the passwd file, skipping... The user "sysadm_u" is not present in the passwd file, skipping... The user "unconfined_u" is not present in the passwd file, skipping... make: *** No rule to make target `/etc/selinux/mcs/contexts/default_contexts', needed by `install'. Stop. Now if I change the build.conf to: TYPE = standard NAME = refpolicy #DISTRO = redhat I see: Installing file_contexts. install -m 644 file_contexts /etc/selinux/refpolicy/contexts/files/file_contexts install -m 644 homedir_template /etc/selinux/refpolicy/contexts/files/homedir_template python -E support/genhomedircon -d /etc/selinux -t refpolicy grep: /etc/libuser.conf: No such file or directory You do not have access to /etc/libuser.conf LU_HOMEDIRECTORY= The user "staff_u" is not present in the passwd file, skipping... The user "sysadm_u" is not present in the passwd file, skipping... The user "unconfined_u" is not present in the passwd file, skipping... make: *** No rule to make target `/etc/selinux/refpolicy/contexts/default_contexts', needed by `install'. Stop. then changing: TYPE = standard NAME = refpolicy DISTRO = redhat I see: Installing file_contexts. install -m 644 file_contexts /etc/selinux/refpolicy/contexts/files/file_contexts install -m 644 homedir_template /etc/selinux/refpolicy/contexts/files/homedir_template python -E support/genhomedircon -d /etc/selinux -t refpolicy grep: /etc/libuser.conf: No such file or directory You do not have access to /etc/libuser.conf LU_HOMEDIRECTORY= The user "staff_u" is not present in the passwd file, skipping... The user "sysadm_u" is not present in the passwd file, skipping... The user "unconfined_u" is not present in the passwd file, skipping... make: *** No rule to make target `/etc/selinux/refpolicy/contexts/default_contexts', needed by `install'. Stop. To get mcs to properly go through the whole install process I have to issue these commands: (inside refpolicy tree) sudo cp -Rv appconfig-mcs/* /etc/selinux/mcs/contexts sudo cp -Rv config/appconfig-mcs /etc/selinux/mcs/contexts/users sudo touch -v /etc/selinux/mcs/contexts/files/media (then make clean,make conf,make policy, sudo make install) For some reason the proper files are not being created, and not going to the right location. (seems when I loaded svn only mcs would produce this, standard would follow through and install properly). As for libuser.conf, probably not pertaining to this. (but could be wrong). -- Justin P. Mattock