From: dac.override@gmail.com (Dominick Grift) Date: Mon, 22 Aug 2016 09:28:37 +0200 Subject: [refpolicy] Using monolithic policy for embedded device In-Reply-To: References: Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/22/2016 09:18 AM, Sagiv Dvash via refpolicy wrote: > Hello all, > > I am new to SELinux and my goal is to implement a custom, small policy on > an embedded device. > Currently, i have a working modified (narrowed down) policy based on the > targeted refpolicy (modular policy). I use a custom openembedded > environment. > > My thought was that since I aim to use the policy on an embedded device (so > no changes should be made to the policy on target), using a monolithic > policy will save space and I could also save up some system resources. > > I am having trouble switching to monolithic policy. The main issue is the > 'duplicate role transition for XYZ' error. This error occurs for almost any > module that is not tagged as "base" in the modules.conf file. From my > understanding of the SELinux Notebook, all of the modules tagged as > 'module' in the modules.conf file should be compiled along with those > tagged as 'base' modules when using monolithic policy. > > Here is an example log for one of these errors: > > | full_path/checkpolicy -M -c 29 -U allow policy.conf -o policy.29 > | policy/modules/roles/sysadm.te:493:ERROR 'duplicate role transition for > (sysadm_r,iptables_initrc_exec_t,process)' at token ';' on line 515081: > | #line 493 > | role_transition sysadm_r iptables_initrc_exec_t > system_r; > | checkpolicy: error(s) encountered while parsing configuration > > > In order to be sure that the error is not caused by any additions of I > made, I reverted back to the targeted policy and tried again - and got > similar errors. > > Any hint on how to deal with this? > Are you actually using reference policy or some refpolicy fork? Note that for example the RedHat reference policy forks differ quite a bit from upstream reference policy, and so it may be a fork specific issue. I use to do "quick-tests", every time I commit to refpolicy-contrib. To ensure that the repolicy builds (also in a monolithic config), and I strongly suspect that the maintainer does this as well. > Thanks, > Sagiv. > > > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160822/7853847d/attachment.bin