From: guido@trentalancia.net (Guido Trentalancia) Date: Sun, 29 Jan 2017 21:59:55 +0100 Subject: [refpolicy] Install Directory for Reference Policy? In-Reply-To: <1485721747.10304.9.camel@trentalancia.net> References: <8978CC35-BED8-451C-BB84-F2335A256ADE@chaschperli.ch> <1485721747.10304.9.camel@trentalancia.net> Message-ID: <1485723595.10304.12.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Consider you also have to relabel the filesystem, ideally after installing and before loading a new policy: # make relabel Of course, this is not related to the error that you reported, but doing so will prevent further problems once you have finally managed to load the new policy... Regards, Guido On Sun, 29/01/2017 at 21.29 +0100, Guido Trentalancia via refpolicy wrote: > Hello again. > > First thing, if you meet problems again after trying the following > advice, then it is probably a good idea to rename your new policy > (the > one that you build), so that you can distinguish from the default > policy installed from your distribution (otherwise there is no > difference other than the timestamp). > > On Sun, 29/01/2017 at 11.14 -0800, Naftuli Kay wrote: > > > > Okay, so again to reiterate, I am on elementary Loki, which is > > Ubuntu > > 16.04. I have installed all build dependencies and I have cloned > > the > > Git repository to a local directory at > > ~/Documents/Development/refpolicy. > > > > I have made sure that both the top-level Git repository (refpolicy) > > and the refpolicy-contrib submodule are both up to date with latest > > master from GitHub. > > > > Following Guido's guidance, I did the following: > > > > cd ~/Documents/Development/refpolicy > > make clean > > make conf > > > > I then edited build.conf to enable systemd, because that is my init > > here on 16.04. I did not make any other modifications, the policy > > name > > is refpolicy and the type is standard. > > > > I then ran: > > > > $ sudo make install-src > > rm -rf /etc/selinux/refpolicy/src/policy.old > > mv /etc/selinux/refpolicy/src/policy > > /etc/selinux/refpolicy/src/policy.old > > mv: cannot stat '/etc/selinux/refpolicy/src/policy': No such file > > or > > directory > > Makefile:551: recipe for target 'install-src' failed > > make: [install-src] Error 1 (ignored) > > mkdir -p /etc/selinux/refpolicy/src/policy > > cp -R . /etc/selinux/refpolicy/src/policy > > > > $ sudo make install-src > > rm -rf /etc/selinux/refpolicy/src/policy.old > > mv /etc/selinux/refpolicy/src/policy > > /etc/selinux/refpolicy/src/policy.old > > mkdir -p /etc/selinux/refpolicy/src/policy > > cp -R . /etc/selinux/refpolicy/src/policy > > > > The first time, as shown, errored, and the second time seemed to > > work. > > That is normal. > > > > > I then ran: > > > > make policy > > sudo make install > > > > It compiled all of the modules and it seems that it installed > > everything to /usr/share/selinux/refpolicy, rather than > > /etc/selinux/refpolicy, which it seems is what my distribution > > expects. > > > > I then ran > > > > sudo make load > > > > It failed with: > > > > /usr/sbin/semodule: SELinux policy is not managed or store cannot > > be > > accessed. > > Perhaps, the policy that is currently loaded (from your distribution) > uses a different directory to store the policy itself and therefore > doesn't let you load the new policy from a different directory... > > In that case, you can try temporarily disabling SELinux by switching > from "enforcing" mode to "permissive" mode, then load the new policy > and finally switch back to SELinux "enforcing" mode: > > # setenforce 0 > # sudo make load > # setenforce 1 > > If you are still experiecing problems, try "make load" as root > instead > of sudo. > > I hope this helps... > > Regards, > > Guido > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- This message contains confidential information intended only for the use of the addressee(s). If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.