From: pebenito@ieee.org (Chris PeBenito) Date: Mon, 22 Aug 2016 20:45:55 -0400 Subject: [refpolicy] Using monolithic policy for embedded device In-Reply-To: <9abea9ba-6a65-8980-3de6-7d294890236c@gmail.com> References: <9abea9ba-6a65-8980-3de6-7d294890236c@gmail.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 08/22/16 04:31, Dominick Grift via refpolicy wrote: > On 08/22/2016 09:28 AM, Dominick Grift wrote: >> On 08/22/2016 09:18 AM, Sagiv Dvash via refpolicy wrote: >>> Hello all, >>> >>> I am new to SELinux and my goal is to implement a custom, small policy on >>> an embedded device. >>> Currently, i have a working modified (narrowed down) policy based on the >>> targeted refpolicy (modular policy). I use a custom openembedded >>> environment. >>> >>> My thought was that since I aim to use the policy on an embedded device (so >>> no changes should be made to the policy on target), using a monolithic >>> policy will save space and I could also save up some system resources. >>> >>> I am having trouble switching to monolithic policy. The main issue is the >>> 'duplicate role transition for XYZ' error. This error occurs for almost any >>> module that is not tagged as "base" in the modules.conf file. From my >>> understanding of the SELinux Notebook, all of the modules tagged as >>> 'module' in the modules.conf file should be compiled along with those >>> tagged as 'base' modules when using monolithic policy. >>> >>> Here is an example log for one of these errors: >>> >>> | full_path/checkpolicy -M -c 29 -U allow policy.conf -o policy.29 >>> | policy/modules/roles/sysadm.te:493:ERROR 'duplicate role transition for >>> (sysadm_r,iptables_initrc_exec_t,process)' at token ';' on line 515081: >>> | #line 493 >>> | role_transition sysadm_r iptables_initrc_exec_t >>> system_r; >>> | checkpolicy: error(s) encountered while parsing configuration >>> >>> >>> In order to be sure that the error is not caused by any additions of I >>> made, I reverted back to the targeted policy and tried again - and got >>> similar errors. >>> >>> Any hint on how to deal with this? >>> >> >> Are you actually using reference policy or some refpolicy fork? Note >> that for example the RedHat reference policy forks differ quite a bit >> from upstream reference policy, and so it may be a fork specific issue. >> >> I use to do "quick-tests", every time I commit to refpolicy-contrib. To >> ensure that the repolicy builds (also in a monolithic config), and I >> strongly suspect that the maintainer does this as well. >> > > I just ran my "super-quick-test" on up-to-date refpolicy, and it > succeeded. So as far as i am concerned monolithic policy builds fine but > i may be overlooking things. > > I recorded this and sent it to youtube. > > https://www.youtube.com/watch?v=cI16FtUKqPk > > As i said, the RedHat fork differs a great deal from reference policy > and on top of that RedHat does not test monolithic builds (because they > only "support" modular builds) > > So either its a RedHat specific issue, or you are doing it wrong. I > suggest that you use the Makefile that is provided with reference policy > (see my video for hints on how to build refpolicy) > > Other than the above, I do not know what may cause this for you. Maybe > others have ideas. I'm not aware of any monolithic build problems, but I also can't test all combinations of modules. I do local tests before I push and use TravisCI to run more extensive tests: https://travis-ci.org/TresysTechnology/refpolicy/builds/152252796 -- Chris PeBenito