From: sagivdev@gmail.com (Sagiv Dvash) Date: Mon, 22 Aug 2016 10:18:16 +0300 Subject: [refpolicy] Using monolithic policy for embedded device Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello all, I am new to SELinux and my goal is to implement a custom, small policy on an embedded device. Currently, i have a working modified (narrowed down) policy based on the targeted refpolicy (modular policy). I use a custom openembedded environment. My thought was that since I aim to use the policy on an embedded device (so no changes should be made to the policy on target), using a monolithic policy will save space and I could also save up some system resources. I am having trouble switching to monolithic policy. The main issue is the 'duplicate role transition for XYZ' error. This error occurs for almost any module that is not tagged as "base" in the modules.conf file. From my understanding of the SELinux Notebook, all of the modules tagged as 'module' in the modules.conf file should be compiled along with those tagged as 'base' modules when using monolithic policy. Here is an example log for one of these errors: | full_path/checkpolicy -M -c 29 -U allow policy.conf -o policy.29 | policy/modules/roles/sysadm.te:493:ERROR 'duplicate role transition for (sysadm_r,iptables_initrc_exec_t,process)' at token ';' on line 515081: | #line 493 | role_transition sysadm_r iptables_initrc_exec_t system_r; | checkpolicy: error(s) encountered while parsing configuration In order to be sure that the error is not caused by any additions of I made, I reverted back to the targeted policy and tried again - and got similar errors. Any hint on how to deal with this? Thanks, Sagiv. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20160822/b4e50c9c/attachment.html