From: dac.override@gmail.com (Dominick Grift) Date: Mon, 22 Aug 2016 10:31:24 +0200 Subject: [refpolicy] Using monolithic policy for embedded device In-Reply-To: References: Message-ID: <9abea9ba-6a65-8980-3de6-7d294890236c@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/22/2016 09:28 AM, Dominick Grift wrote: > On 08/22/2016 09:18 AM, Sagiv Dvash via refpolicy wrote: >> Hello all, >> >> I am new to SELinux and my goal is to implement a custom, small policy on >> an embedded device. >> Currently, i have a working modified (narrowed down) policy based on the >> targeted refpolicy (modular policy). I use a custom openembedded >> environment. >> >> My thought was that since I aim to use the policy on an embedded device (so >> no changes should be made to the policy on target), using a monolithic >> policy will save space and I could also save up some system resources. >> >> I am having trouble switching to monolithic policy. The main issue is the >> 'duplicate role transition for XYZ' error. This error occurs for almost any >> module that is not tagged as "base" in the modules.conf file. From my >> understanding of the SELinux Notebook, all of the modules tagged as >> 'module' in the modules.conf file should be compiled along with those >> tagged as 'base' modules when using monolithic policy. >> >> Here is an example log for one of these errors: >> >> | full_path/checkpolicy -M -c 29 -U allow policy.conf -o policy.29 >> | policy/modules/roles/sysadm.te:493:ERROR 'duplicate role transition for >> (sysadm_r,iptables_initrc_exec_t,process)' at token ';' on line 515081: >> | #line 493 >> | role_transition sysadm_r iptables_initrc_exec_t >> system_r; >> | checkpolicy: error(s) encountered while parsing configuration >> >> >> In order to be sure that the error is not caused by any additions of I >> made, I reverted back to the targeted policy and tried again - and got >> similar errors. >> >> Any hint on how to deal with this? >> > > Are you actually using reference policy or some refpolicy fork? Note > that for example the RedHat reference policy forks differ quite a bit > from upstream reference policy, and so it may be a fork specific issue. > > I use to do "quick-tests", every time I commit to refpolicy-contrib. To > ensure that the repolicy builds (also in a monolithic config), and I > strongly suspect that the maintainer does this as well. > I just ran my "super-quick-test" on up-to-date refpolicy, and it succeeded. So as far as i am concerned monolithic policy builds fine but i may be overlooking things. I recorded this and sent it to youtube. https://www.youtube.com/watch?v=cI16FtUKqPk As i said, the RedHat fork differs a great deal from reference policy and on top of that RedHat does not test monolithic builds (because they only "support" modular builds) So either its a RedHat specific issue, or you are doing it wrong. I suggest that you use the Makefile that is provided with reference policy (see my video for hints on how to build refpolicy) Other than the above, I do not know what may cause this for you. Maybe others have ideas. >> Thanks, >> Sagiv. >> >> >> >> _______________________________________________ >> refpolicy mailing list >> refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy >> > > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160822/80b3a9cf/attachment-0001.bin