From: diana4mond@naver.com (=?UTF-8?B?6rOg7J6s7Jqp?=) Date: Mon, 7 Nov 2016 14:46:20 +0900 (KST) Subject: [refpolicy] =?utf-8?q?I_want_to_use_refpolicy_in_centos_7?= In-Reply-To: <1477776157.2484.3.camel@trentalancia.net> References: <8dde386aff5e14f9d20bb3ec592cbea@cvwapp03.nm.nhnsystem.com> <1477776157.2484.3.camel@trentalancia.net> Message-ID: <1a1b379083a56b0e75f553f2b4dd5ab@cweb12.nm.nhnsystem.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com From: "Jae-yong, Ko"<diana4mond at naver.com> To: "Guido Trentalancia"<guido at trentalancia.net>; <refpolicy at oss.tresys.com>; Thanks for your help it's taken me so long to write. i'm trying to do to your steps but i'm faced with unexpected errors fisrt, make relabel some of statements in file_contexts and file_contexts.homedirs files make invalid context error likes [root at localhost policy]# make relabel Traceback (most recent call last): File "support/policyvers.py", line 3, in <module> import selinux File "/usr/lib64/python2.7/site-packages/selinux/__init__.py", line 519, in <module> SELABEL_CTX_ANDROID_SERVICE = _selinux.SELABEL_CTX_ANDROID_SERVICE AttributeError: 'module' object has no attribute 'SELABEL_CTX_ANDROID_SERVICE' Relabeling filesystem types: btrfs ext2 ext3 ext4 xfs jfs /sbin/setfiles /etc/selinux/refpolicy/contexts/files/file_contexts / /boot /etc/selinux/refpolicy/contexts/files/file_contexts.homedirs: line 193 has invalid context root:object_r:evolution_home_t:s0 /etc/selinux/refpolicy/contexts/files/file_contexts.homedirs: line 198 has invalid context root:object_r:mozilla_plugin_home_t:s0 /etc/selinux/refpolicy/contexts/files/file_contexts.homedirs: line 201 has invalid context root:object_r:mozilla_plugin_home_t:s0 /etc/selinux/refpolicy/contexts/files/file_contexts.homedirs: line 202 has invalid context root:object_r:mozilla_plugin_home_t:s0 /etc/selinux/refpolicy/contexts/files/file_contexts.homedirs: line 207 has invalid context root:object_r:mozilla_plugin_home_t:s0 /etc/selinux/refpolicy/contexts/files/file_contexts.homedirs: line 208 has invalid context root:object_r:gnome_keyring_home_t:s0 /etc/selinux/refpolicy/contexts/files/file_contexts.homedirs: line 210 has invalid context root:object_r:syncthing_config_home_t:s0 /etc/selinux/refpolicy/contexts/files/file_contexts.homedirs: line 220 has invalid context root:object_r:ppp_home_t:s0 /etc/selinux/refpolicy/contexts/files/file_contexts.homedirs: line 238 has invalid context root:object_r:oidentd_home_t:s0 filespec_add: conflicting specifications for /usr/sbin/mkfs.ext2 and /usr/sbin/mke2fs, using system_u:object_r:bin_t:s0. filespec_add: conflicting specifications for /usr/sbin/mkfs.ext4 and /usr/sbin/mkfs.ext2, using system_u:object_r:bin_t:s0. filespec_add: conflicting specifications for /usr/sbin/fsck.ext2 and /usr/sbin/e2fsck, using system_u:object_r:bin_t:s0. filespec_add: conflicting specifications for /usr/sbin/fsck.ext3 and /usr/sbin/fsck.ext2, using system_u:object_r:bin_t:s0. filespec_add: conflicting specifications for /usr/sbin/fsck.ext4 and /usr/sbin/fsck.ext3, using system_u:object_r:bin_t:s0. filespec_add: conflicting specifications for /usr/sbin/mkfs.ext3 and /usr/sbin/mkfs.ext4, using system_u:object_r:bin_t:s0. To avoid this errors, i attached '#' symbol to lines that generate errors in /etc/selinux/refpolicy/contexts/files/file_contexts and file_context.homedirs there are 538 invalid contexts in file_contexts file,, and 49 invalid contexts errors in file_contexts.homedirs after make relabel [root at localhost policy]# make relabel Traceback (most recent call last): File "support/policyvers.py", line 3, in <module> import selinux File "/usr/lib64/python2.7/site-packages/selinux/__init__.py", line 519, in <module> SELABEL_CTX_ANDROID_SERVICE = _selinux.SELABEL_CTX_ANDROID_SERVICE AttributeError: 'module' object has no attribute 'SELABEL_CTX_ANDROID_SERVICE' Relabeling filesystem types: btrfs ext2 ext3 ext4 xfs jfs /sbin/setfiles /etc/selinux/refpolicy/contexts/files/file_contexts / /boot filespec_add: conflicting specifications for /usr/sbin/mkfs.ext2 and /usr/sbin/mke2fs, using system_u:object_r:bin_t:s0. filespec_add: conflicting specifications for /usr/sbin/mkfs.ext4 and /usr/sbin/mkfs.ext2, using system_u:object_r:bin_t:s0. filespec_add: conflicting specifications for /usr/sbin/fsck.ext2 and /usr/sbin/e2fsck, using system_u:object_r:bin_t:s0. filespec_add: conflicting specifications for /usr/sbin/fsck.ext3 and /usr/sbin/fsck.ext2, using system_u:object_r:bin_t:s0. filespec_add: conflicting specifications for /usr/sbin/fsck.ext4 and /usr/sbin/fsck.ext3, using system_u:object_r:bin_t:s0. filespec_add: conflicting specifications for /usr/sbin/mkfs.ext3 and /usr/sbin/mkfs.ext4, using system_u:object_r:bin_t:s0. and Reboot. As a result, boots into emergency mode........................ Is it right condition in refpolicy? Second, i think that i found some errors in policy.conf there are no declaration about following types : type tftp_conf_t; type djbdns_tinydn_t; type xdm_spool_t; type dspam_tmp_t; type cfengine_var_log_t; type ccs_conf_t; type httpd_cobbler_content_t; type httpd_cobbler_content_ra_t; type httpd_cobbler_content_rw_t; type cupsd_spool_t; type firewall_etc_rw_t; type mandb_cache_t; type rpm_cache_t; type smbd_spool_t; type sssd_log_t; This types was used in av rules or te rules in policy.conf file for monolithic policy but there are no declarations about them. And i think there are some errors base.conf file in refpolicy for loadable policy. i guess some alias keyword is not working in base.conf in the process of binary translation and i found typing error in /refpolicy/src/policy/policy/modules/contrib/apache.if httpd_user_content_ra_t and httpd_user_content_rw_t is actually declared to httpd_user_ra_content_t, httpd_user_rw_content_t in /refpolicy/src/policy/policy/modules/contrib/apache.te So, the sum of types, attributes and aliases differs to the number of entries on type hash table. I wonder that it is intended. Third, In Make load, Installing file_contexts. install -m 0644 file_contexts /etc/selinux/refpolicy/contexts/files/file_contexts install -m 0644 homedir_template /etc/selinux/refpolicy/contexts/files/homedir_template umask 022 ; python -E support/genhomedircon -d /etc/selinux -t refpolicy The user "staff_u" is not present in the passwd file, skipping... The user "sysadm_u" is not present in the passwd file, skipping... The user "unconfined_u" is not present in the passwd file, skipping... egrep '^[[:blank:]]*type .*customizable' policy.conf | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | LC_ALL=C sort -u > tmp/customizable_types install -m 0644 tmp/customizable_types /etc/selinux/refpolicy/contexts/customizable_types Loading refpolicy /etc/selinux/refpolicy/policy/policy.30 /usr/sbin/load_policy -q /etc/selinux/refpolicy/policy/policy.30 i logged load_policy.c in libselinux process using printf libselinux>load_policy.c>selinux_mkload_policy function> libselinux>load_policy.c>/etc/selinux/targeted/policy/policy.30 Makefile is load /etc/selinux/refpolicy/policy/policy.30 but actually loaded /etc/selinux/targeted/policy/policy.30 if i want to load refpolicy, what is ways to load refpolicy? -----Original Message----- From: "Guido Trentalancia"<guido at trentalancia.net> To: "jaeyong, ko"<diana4mond at naver.com>; <refpolicy at oss.tresys.com>; Cc: Sent: 2016-10-30 (?) 06:22:37 Subject: Re: [refpolicy] I want to use refpolicy in centos 7 Hello again. On Thu, 27/10/2016 at 17.21 +0900, ??? via refpolicy wrote: > I install centos7 and use targeted policy > > But i want to use refpolicy for modifying policy so i did download > using following steps > 1. #git clone https://github.com/TresysTechnology/refpolicy.git > > 2. #cd refpolicy > 3. #git submodule init > 4. #git submodule update > 5. Change build.conf file > Type=mls > NAME = refpolicy > MONOLITHIC = y > 6. #make install-src Also, remember the correct sequence is: # (make conf) # make install-src # make policy # make install # make load in the Reference Policy directory. > 7. cd /etc/selinux/refpolicy/src/policy/ > 8. #Make load I think step 7 is wrong. > 9. #Cd /etc/selinux and Change config file > SELINUX = permissive > SELINUXTYPE = refpolicy > 10. #touch /.autorelabel You can also relabel from the Reference Policy directory by issuing: # make relabel after you have installed the new policy. > 11. #Reboot > > After desktop is rebooted > 12. #setenforce 1 > 13. ...... permission deny > 14. #Sestatus > .... > Loaded policy name: targeted ???(refolicy -> targeted) > Current mode : enforcing > .... > Mode from config file : error (permission denied)??? > > What shuoud i do? > Helps me... -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20161107/47e62700/attachment-0001.html