From: justinmattock@gmail.com (Justin Mattock) Date: Fri, 12 Jun 2009 11:01:32 -0700 Subject: [refpolicy] problem when compiling svn policy In-Reply-To: References: <1244732999.21565.750.camel@gorn.columbia.tresys.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, Jun 11, 2009 at 3:03 PM, Justin Mattock wrote: > On Thu, Jun 11, 2009 at 10:29 AM, Justin Mattock wrote: >> On Thu, Jun 11, 2009 at 9:06 AM, Justin Mattock wrote: >>> On Thu, Jun 11, 2009 at 8:09 AM, Christopher J. >>> PeBenito wrote: >>>> On Wed, 2009-06-10 at 20:26 +0000, Justin Mattock wrote: >>>>> I seem to be running into an issue while compiling >>>>> the latest svn(just pulled, Ill test it out for you guys) >>>>> I see this: >>>> >>>> Can you provide more detail as to the build.conf settings? ?I am not >>>> able to reproduce this. >>>> >>>>> make: *** No rule to make target >>>>> `/etc/selinux/refpolicy/contexts/users/appconfig-standard', needed by >>>>> `install'. ?Stop. >>>>> >>>>> if I copy config/appconfig-standard to /etc/selinux/refpolicy/* >>>>> then the policy will compile all together. >>>>> should I just ?wait and pull the policy ?later? >>>>> >>>>> Also when doing make relabel I see this: >>>>> >>>>> Relabeling filesystem types: ext2 ext3 xfs jfs >>>>> /sbin/setfiles /etc/selinux/refpolicy/contexts/files/file_contexts / >>>>> filespec_add: ?conflicting specifications for >>>>> /usr/lib/glibc/getconf/XBS5_ILP32_OFFBIG and /usr/bin/getconf, using >>>>> system_u:object_r:bin_t. >>>>> filespec_add: ?conflicting specifications for >>>>> /usr/lib/glibc/getconf/POSIX_V7_ILP32_OFF32 and >>>>> /usr/lib/glibc/getconf/XBS5_ILP32_OFFBIG, using >>>>> system_u:object_r:bin_t. >>>>> filespec_add: ?conflicting specifications for >>>>> /usr/lib/glibc/getconf/POSIX_V6_ILP32_OFFBIG and >>>>> /usr/lib/glibc/getconf/POSIX_V7_ILP32_OFF32, using >>>>> system_u:object_r:bin_t. >>>>> filespec_add: ?conflicting specifications for >>>>> /usr/lib/glibc/getconf/XBS5_ILP32_OFF32 and >>>>> /usr/lib/glibc/getconf/POSIX_V6_ILP32_OFFBIG, using >>>>> system_u:object_r:bin_t. >>>>> filespec_add: ?conflicting specifications for >>>>> /usr/lib/glibc/getconf/POSIX_V7_ILP32_OFFBIG and >>>>> /usr/lib/glibc/getconf/XBS5_ILP32_OFF32, using >>>>> system_u:object_r:bin_t. >>>>> filespec_add: ?conflicting specifications for >>>>> /usr/lib/glibc/getconf/POSIX_V6_ILP32_OFF32 and >>>>> /usr/lib/glibc/getconf/POSIX_V7_ILP32_OFFBIG, using >>>>> system_u:object_r:bin_t. >>>>> filespec_eval: ?hash table stats: 163158 elements, 29863/65536 buckets >>>>> used, longest chain length 11 >>>>> >>>>> should I bee concerned, or is this something still being worked out? >>>> >>>> It would seem that /usr/lib/glibc/getconf/XBS5_ILP32_OFFBIG >>>> and /usr/bin/getconf are hardlinked, which is why there is a conflict >>>> since they are lib_t and bin_t, respectively. ?Which distribution? >>>> >>>> -- >>>> Chris PeBenito >>>> Tresys Technology, LLC >>>> (410) 290-1411 x150 >>>> >>>> >>> >>> sure, >>> Below is build.conf >>> I'm not sure but I think >>> choosing >>> DISTRO = redhat >>> might be causing these build errors. >>> (The system right now is an LFS system, I chose >>> redhat due to having /etc/rc.d/init.d/*) >>> >>> As for reproducing these build errors: >>> If I load a fresh policy in my home directory >>> (choose mcs) then compile then once installing >>> I get errors(mainly file not found errors). >>> maybe I have something wrong with the "install" >>> command. >>> But If I compile the policy as a standard policy >>> seems to go through(except yesterday with some >>> appconfig-standard confusion) >>> >>> seems this issue is a bit on and off, almost as if >>> the system needs to be in a correct state to properly >>> compile, or maybe because choosing redhat as the distro causes >>> confusion.(but still am not certain why I'm hitting this). >>> >>> build.conf: >>> >>> ######################################## >>> # >>> # Policy build options >>> # >>> >>> # Policy version >>> # By default, checkpolicy will create the highest >>> # version policy it supports. ?Setting this will >>> # override the version. ?This only has an >>> # effect for monolithic policies. >>> OUTPUT_POLICY = 22 >>> >>> # Policy Type >>> # standard, mls, mcs >>> TYPE = standard >>> >>> # Policy Name >>> # If set, this will be used as the policy >>> # name. ?Otherwise the policy type will be >>> # used for the name. >>> NAME = refpolicy >>> >>> # Distribution >>> # Some distributions have portions of policy >>> # for programs or configurations specific to the >>> # distribution. ?Setting this will enable options >>> # for the distribution. >>> # redhat, gentoo, debian, suse, and rhel4 are current options. >>> # Fedora users should enable redhat. >>> DISTRO = redhat >>> >>> # Unknown Permissions Handling >>> # The behavior for handling permissions defined in the >>> # kernel but missing from the policy. ?The permissions >>> # can either be allowed, denied, or the policy loading >>> # can be rejected. >>> # allow, deny, and reject are current options. >>> UNK_PERMS = deny >>> >>> # Direct admin init >>> # Setting this will allow sysadm to directly >>> # run init scripts, instead of requring run_init. >>> # This is a build option, as role transitions do >>> # not work in conditional policy. >>> DIRECT_INITRC = n >>> >>> # Build monolithic policy. ?Putting n here >>> # will build a loadable module policy. >>> MONOLITHIC = y >>> >>> # User-based access control (UBAC) >>> # Enable UBAC for role separations. >>> UBAC = y >>> >>> # Number of MLS Sensitivities >>> # The sensitivities will be s0 to s(MLS_SENS-1). >>> # Dominance will be in increasing numerical order >>> # with s0 being lowest. >>> MLS_SENS = 16 >>> >>> # Number of MLS Categories >>> # The categories will be c0 to c(MLS_CATS-1). >>> MLS_CATS = 256 >>> >>> # Number of MCS Categories >>> # The categories will be c0 to c(MLS_CATS-1). >>> MCS_CATS = 256 >>> >>> # Set this to y to only display status messages >>> # during build. >>> QUIET = n >>> >>> As for any other adjustments, only >>> policy/users(for adding the user) >>> and default_contexts local_login >>> for the starting role. >>> then adding allow rules, and that's it >>> (I mainly am running the policy as set by you >>> guys, without any tweaks to it as much as possible). >>> >>> I'll go ahead and try and recreate these errors >>> so you can get an idea of what I'm seeing. >>> >>> -- >>> Justin P. Mattock >>> >> >> This is what I see when using the same build.conf >> above, except just changing: >> TYPE = mcs >> NAME = mcs >> (then issue the following commands: make clean, >> make conf, make policy, sudo make install) >> results: >> >> Installing file_contexts. >> install -m 644 file_contexts /etc/selinux/mcs/contexts/files/file_contexts >> install -m 644 homedir_template /etc/selinux/mcs/contexts/files/homedir_template >> python -E support/genhomedircon -d /etc/selinux -t mcs >> grep: /etc/libuser.conf: No such file or directory >> You do not have access to /etc/libuser.conf LU_HOMEDIRECTORY= >> The user "staff_u" is not present in the passwd file, skipping... >> The user "sysadm_u" is not present in the passwd file, skipping... >> The user "unconfined_u" is not present in the passwd file, skipping... >> make: *** No rule to make target >> `/etc/selinux/mcs/contexts/default_contexts', needed by `install'. >> Stop. >> >> if I do the same above >> except >> sudo make install-src >> make conf >> make policy >> sudo make install >> >> I see: >> >> Installing file_contexts. >> install -m 644 file_contexts /etc/selinux/mcs/contexts/files/file_contexts >> install -m 644 homedir_template /etc/selinux/mcs/contexts/files/homedir_template >> python -E support/genhomedircon -d /etc/selinux -t mcs >> grep: /etc/libuser.conf: No such file or directory >> You do not have access to /etc/libuser.conf LU_HOMEDIRECTORY= >> The user "staff_u" is not present in the passwd file, skipping... >> The user "sysadm_u" is not present in the passwd file, skipping... >> The user "unconfined_u" is not present in the passwd file, skipping... >> make: *** No rule to make target >> `/etc/selinux/mcs/contexts/default_contexts', needed by `install'. >> Stop. >> >> >> Now leaving the build.conf the same except for >> changing DISTRO = redhat to >> #DISTRO = redhat >> (make clean, make conf, make policy, >> sudo make install) >> >> Installing file_contexts. >> install -m 644 file_contexts /etc/selinux/mcs/contexts/files/file_contexts >> install -m 644 homedir_template /etc/selinux/mcs/contexts/files/homedir_template >> python -E support/genhomedircon -d /etc/selinux -t mcs >> grep: /etc/libuser.conf: No such file or directory >> You do not have access to /etc/libuser.conf LU_HOMEDIRECTORY= >> The user "staff_u" is not present in the passwd file, skipping... >> The user "sysadm_u" is not present in the passwd file, skipping... >> The user "unconfined_u" is not present in the passwd file, skipping... >> make: *** No rule to make target >> `/etc/selinux/mcs/contexts/default_contexts', needed by `install'. >> Stop. >> >> Now same as above just adding >> sudo make install-src before build.conf >> >> Installing file_contexts. >> install -m 644 file_contexts /etc/selinux/mcs/contexts/files/file_contexts >> install -m 644 homedir_template /etc/selinux/mcs/contexts/files/homedir_template >> python -E support/genhomedircon -d /etc/selinux -t mcs >> grep: /etc/libuser.conf: No such file or directory >> You do not have access to /etc/libuser.conf LU_HOMEDIRECTORY= >> The user "staff_u" is not present in the passwd file, skipping... >> The user "sysadm_u" is not present in the passwd file, skipping... >> The user "unconfined_u" is not present in the passwd file, skipping... >> make: *** No rule to make target >> `/etc/selinux/mcs/contexts/default_contexts', needed by `install'. >> Stop. >> >> Now if I change the build.conf to: >> TYPE = standard >> NAME = refpolicy >> #DISTRO = redhat >> I see: >> Installing file_contexts. >> install -m 644 file_contexts /etc/selinux/refpolicy/contexts/files/file_contexts >> install -m 644 homedir_template >> /etc/selinux/refpolicy/contexts/files/homedir_template >> python -E support/genhomedircon -d /etc/selinux -t refpolicy >> grep: /etc/libuser.conf: No such file or directory >> You do not have access to /etc/libuser.conf LU_HOMEDIRECTORY= >> The user "staff_u" is not present in the passwd file, skipping... >> The user "sysadm_u" is not present in the passwd file, skipping... >> The user "unconfined_u" is not present in the passwd file, skipping... >> make: *** No rule to make target >> `/etc/selinux/refpolicy/contexts/default_contexts', needed by >> `install'. ?Stop. >> >> then changing: >> TYPE = standard >> NAME = refpolicy >> DISTRO = redhat >> I see: >> >> Installing file_contexts. >> install -m 644 file_contexts /etc/selinux/refpolicy/contexts/files/file_contexts >> install -m 644 homedir_template >> /etc/selinux/refpolicy/contexts/files/homedir_template >> python -E support/genhomedircon -d /etc/selinux -t refpolicy >> grep: /etc/libuser.conf: No such file or directory >> You do not have access to /etc/libuser.conf LU_HOMEDIRECTORY= >> The user "staff_u" is not present in the passwd file, skipping... >> The user "sysadm_u" is not present in the passwd file, skipping... >> The user "unconfined_u" is not present in the passwd file, skipping... >> make: *** No rule to make target >> `/etc/selinux/refpolicy/contexts/default_contexts', needed by >> `install'. ?Stop. >> >> >> To get mcs to properly go through the whole install process >> I have to issue these commands: >> (inside refpolicy tree) >> sudo cp -Rv appconfig-mcs/* /etc/selinux/mcs/contexts >> sudo cp -Rv config/appconfig-mcs /etc/selinux/mcs/contexts/users >> sudo touch -v /etc/selinux/mcs/contexts/files/media >> (then make clean,make conf,make policy, >> sudo make install) >> >> For some reason the proper files are not being created, >> and not going to the right location. >> (seems when I loaded svn only mcs would produce this, >> standard would follow through and install properly). >> >> As for libuser.conf, probably not pertaining to this. >> (but could be wrong). >> >> -- >> Justin P. Mattock >> > > Well I don't get it > I have two machines here > same system(created one, then just made > a copy for the other) same kernel. > > downloaded two copies of refpolicy svn(today) > and on one machine refpolicy compiles perfectly, > and on the other I'm hitting this error. > I must have something missing, or did something > to the machine that doesn't want to compile the policy. > (I guess out of desperation I'll just copy the good compiled policy > over to the other machine). > > > -- > Justin P. Mattock > Not sure how to handle this, with the machine that passes with the latest svn, is also failing with the latest refpolicy tar ball. below is what sudo make -d install produces: Installing file_contexts. Live child 0x08134cb0 (/etc/selinux/mcs/contexts/files/file_contexts) PID 13421 Reaping winning child 0x08134cb0 PID 13421 Live child 0x08134cb0 (/etc/selinux/mcs/contexts/files/file_contexts) PID 13422 Reaping winning child 0x08134cb0 PID 13422 install -m 644 file_contexts /etc/selinux/mcs/contexts/files/file_contexts Live child 0x08134cb0 (/etc/selinux/mcs/contexts/files/file_contexts) PID 13423 Reaping winning child 0x08134cb0 PID 13423 install -m 644 homedir_template /etc/selinux/mcs/contexts/files/homedir_template Live child 0x08134cb0 (/etc/selinux/mcs/contexts/files/file_contexts) PID 13424 Reaping winning child 0x08134cb0 PID 13424 python -E support/genhomedircon -d /etc/selinux -t mcs Live child 0x08134cb0 (/etc/selinux/mcs/contexts/files/file_contexts) PID 13425 grep: /etc/libuser.conf: No such file or directory You do not have access to /etc/libuser.conf LU_HOMEDIRECTORY= The user "staff_u" is not present in the passwd file, skipping... The user "sysadm_u" is not present in the passwd file, skipping... The user "unconfined_u" is not present in the passwd file, skipping... Reaping winning child 0x08134cb0 PID 13425 Removing child 0x08134cb0 PID 13425 from chain. Successfully remade target file `/etc/selinux/mcs/contexts/files/file_contexts'. Considering target file `/etc/selinux/mcs/contexts/default_contexts'. File `/etc/selinux/mcs/contexts/default_contexts' does not exist. Looking for an implicit rule for `/etc/selinux/mcs/contexts/default_contexts'. Trying pattern rule with stem `default_contexts'. Trying rule prerequisite `config/appconfig-mcs'. Trying implicit prerequisite `/default_contexts'. Trying pattern rule with stem `default_contexts'. Trying implicit prerequisite `/etc/selinux/mcs/contexts/default_contexts,v'. Trying pattern rule with stem `default_contexts'. Trying implicit prerequisite `/etc/selinux/mcs/contexts/RCS/default_contexts,v'. Trying pattern rule with stem `default_contexts'. Trying implicit prerequisite `/etc/selinux/mcs/contexts/RCS/default_contexts'. Trying pattern rule with stem `default_contexts'. Trying implicit prerequisite `/etc/selinux/mcs/contexts/s.default_contexts'. Trying pattern rule with stem `default_contexts'. Trying implicit prerequisite `/etc/selinux/mcs/contexts/SCCS/s.default_contexts'. Trying pattern rule with stem `default_contexts'. Trying rule prerequisite `config/appconfig-mcs'. Trying implicit prerequisite `/default_contexts'. Looking for a rule with intermediate file `/default_contexts'. Avoiding implicit rule recursion. Trying pattern rule with stem `default_contexts'. Trying implicit prerequisite `/default_contexts,v'. Trying pattern rule with stem `default_contexts'. Trying implicit prerequisite `/RCS/default_contexts,v'. Trying pattern rule with stem `default_contexts'. Trying implicit prerequisite `/RCS/default_contexts'. Trying pattern rule with stem `default_contexts'. Trying implicit prerequisite `/s.default_contexts'. Trying pattern rule with stem `default_contexts'. Trying implicit prerequisite `/SCCS/s.default_contexts'. No implicit rule found for `/etc/selinux/mcs/contexts/default_contexts'. Finished prerequisites of target file `/etc/selinux/mcs/contexts/default_contexts'. Must remake target `/etc/selinux/mcs/contexts/default_contexts'. make: *** No rule to make target `/etc/selinux/mcs/contexts/default_contexts', needed by `install'. Stop. No implicit rule found for `/etc/selinux/mcs/contexts/default_contexts'. What rule might this be looking for? (BTW I accidentally just sent a post that had an attachment of the debug messages, that ended up being to big, sorry) -- Justin P. Mattock