From: rfkrocktk@gmail.com (Naftuli Kay) Date: Sun, 29 Jan 2017 11:14:03 -0800 Subject: [refpolicy] Install Directory for Reference Policy? In-Reply-To: References: <8978CC35-BED8-451C-BB84-F2335A256ADE@chaschperli.ch> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Okay, so again to reiterate, I am on elementary Loki, which is Ubuntu 16.04. I have installed all build dependencies and I have cloned the Git repository to a local directory at ~/Documents/Development/refpolicy. I have made sure that both the top-level Git repository (refpolicy) and the refpolicy-contrib submodule are both up to date with latest master from GitHub. Following Guido's guidance, I did the following: cd ~/Documents/Development/refpolicy make clean make conf I then edited build.conf to enable systemd, because that is my init here on 16.04. I did not make any other modifications, the policy name is refpolicy and the type is standard. I then ran: $ sudo make install-src rm -rf /etc/selinux/refpolicy/src/policy.old mv /etc/selinux/refpolicy/src/policy /etc/selinux/refpolicy/src/policy.old mv: cannot stat '/etc/selinux/refpolicy/src/policy': No such file or directory Makefile:551: recipe for target 'install-src' failed make: [install-src] Error 1 (ignored) mkdir -p /etc/selinux/refpolicy/src/policy cp -R . /etc/selinux/refpolicy/src/policy $ sudo make install-src rm -rf /etc/selinux/refpolicy/src/policy.old mv /etc/selinux/refpolicy/src/policy /etc/selinux/refpolicy/src/policy.old mkdir -p /etc/selinux/refpolicy/src/policy cp -R . /etc/selinux/refpolicy/src/policy The first time, as shown, errored, and the second time seemed to work. I then ran: make policy sudo make install It compiled all of the modules and it seems that it installed everything to /usr/share/selinux/refpolicy, rather than /etc/selinux/refpolicy, which it seems is what my distribution expects. I then ran sudo make load It failed with: /usr/sbin/semodule: SELinux policy is not managed or store cannot be accessed. There is a lot of debugging output which I have listed here: https://gist.github.com/naftulikay/3c24fc7a1d63f26c3e401f6ed5a1f8b5 There are multiple files describing the contents of /usr/share/selinux/refpolicy, /etc/selinux/refpolicy, my kernel command line, and more. I'm not sure what I'm doing wrong, but I may setup a 16.04 Vagrant VM project to see if I can iterate on this to know exactly the steps that need to be taken to get things to work. Thanks, - Naftuli Kay On Tue, Jan 17, 2017 at 3:11 PM, Guido Trentalancia via refpolicy wrote: > Hello. > > If you do "make conf" before "make install" it will override the configuration that you have previously created (including the name of the policy and therefore its location). > > Try the following sequence from the top-level directory where you have the policy source (for example as checked out from git or extracted from a release): > > make clean > make conf > > edit build.conf to suit your needs (including the name of the policy, for example "refpolicy") > > make install-src > make policy > make install > > edit /etc/selinux/config to select the new policy > > make load > > That is it. The next time you build it, don't issue "make conf" again, it is just to get an initial build configuration file. > > I hope it helps. > > Regards, > > Guido > > On the 17th of January 2017 19:21:09 CET, Naftuli Kay via refpolicy wrote: >>I have followed the given instructions and I still don't have my >>policy installed in the right place: >> >>cd /etc/selinux/refpolicy/src/policy >>make clean >>make bare >>make conf >>make install >> >>Compare output of tree -L 2 /etc/selinux/default: >>http://pastebin.com/vwtbrjfY >> >>with output of tree -L 2 /etc/selinux/refpolicy: >>http://pastebin.com/aDUCEzq0 >>Thanks, >> - Naftuli Kay >> >> >>On Tue, Jan 17, 2017 at 10:09 AM, Naftuli Kay >>wrote: >>> I have not, I was unfortunately not aware of it. Following >>instructions now. >>> Thanks, >>> - Naftuli Kay >>> >>> >>> On Mon, Jan 16, 2017 at 9:05 PM, Thomas >>wrote: >>>> Did you follow the guide? >>>> https://github.com/TresysTechnology/refpolicy/wiki/UseRefpolicy >>>> >>>> And i think semanage requires the -S switch to operate on a non >>loaded >>>> policy store: >>>> >>>> -S, --store >>>> Select and alternate SELinux store to manage >>>> >>>> -thomas >>>> >>>> Am 17. Januar 2017 05:24:40 MEZ schrieb Naftuli Kay via refpolicy >>>> : >>>>> >>>>> I'm on Ubuntu 16.04 and I've just compiled the reference policy >>via: >>>>> >>>>> git clone https://github.com/TresysTechnology/refpolicy.git >>>>> cd refpolicy >>>>> git submodule init >>>>> git submodule update >>>>> git checkout RELEASE_2_20161023 >>>>> ( cd policy/modules/contrib && git checkout RELEASE_2_20161023 ) >>>>> make conf >>>>> make install >>>>> >>>>> My build.conf looks like this: >>>>> >>>>> TYPE = standard >>>>> NAME = refpolicy >>>>> DISTRO = debian >>>>> UNK_PERMS = deny >>>>> DIRECT_INITRC = n >>>>> SYSTEMD = y >>>>> MONOLITHIC = n >>>>> UBAC = y >>>>> CUSTOM_BUILDOPT = >>>>> MLS_SENS = 16 >>>>> MLS_CATS = 1024 >>>>> MCS_CATS = 1024 >>>>> QUIET = n >>>>> >>>>> Pretty normal stuff. >>>>> >>>>> Unfortunately, though it properly loads at the time of "make >>install," >>>>> it isn't installed into the expected directory by my distro. >>>>> Apparently, Ubuntu wants the binary files to be located at >>>>> /etc/selinux/$NAME. The upstream "selinux-policy-default" package >>>>> installs its dependencies to /etc/selinux/default and its contents >>can >>>>> be viewed here: http://pastebin.com/8fXvdFUA >>>>> >>>>> Is there a variable I need to set to have the reference policy >>install >>>>> itself/copy its files following this pattern to >>>>> /etc/selinux/refpolicy? >>>>> ________________________________ >>>>> >>>>> refpolicy mailing list >>>>> refpolicy at oss.tresys.com >>>>> http://oss.tresys.com/mailman/listinfo/refpolicy >>_______________________________________________ >>refpolicy mailing list >>refpolicy at oss.tresys.com >>http://oss.tresys.com/mailman/listinfo/refpolicy > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy