From: guido@trentalancia.net (Guido Trentalancia) Date: Tue, 31 Jan 2017 15:19:51 +0100 Subject: [refpolicy] Install Directory for Reference Policy? In-Reply-To: <1485809725.14345.4.camel@trentalancia.net> References: <1485809725.14345.4.camel@trentalancia.net> Message-ID: <1485872391.14345.7.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, 30/01/2017 at 21.55 +0100, Guido Trentalancia via refpolicy wrote: > Hello again. > > On Mon, 16/01/2017 at 20.24 -0800, Naftuli Kay via refpolicy wrote: > > > > I'm on Ubuntu 16.04 and I've just compiled the reference policy > > via: > > > > git clone https://github.com/TresysTechnology/refpolicy.git > > cd refpolicy > > git submodule init > > git submodule update > > git checkout RELEASE_2_20161023 > > ( cd policy/modules/contrib && git checkout RELEASE_2_20161023 ) > > make conf > > make install > > > > My build.conf looks like this: > > > > TYPE = standard > > NAME = refpolicy > > DISTRO = debian > > UNK_PERMS = deny > > DIRECT_INITRC = n > > SYSTEMD = y > > MONOLITHIC = n > > UBAC = y > > CUSTOM_BUILDOPT = > > MLS_SENS = 16 > > MLS_CATS = 1024 > > MCS_CATS = 1024 > > QUIET = n > > > > Pretty normal stuff. > > > > Unfortunately, though it properly loads at the time of "make > > install," > > it isn't installed into the expected directory by my distro. > > You shouldn't worry about the installation directory. The path that > is > being used should be fine. Part of the policy goes under /etc/selinux > and part goes under /usr/share/selinux. > > > > > Apparently, Ubuntu wants the binary files to be located at > > /etc/selinux/$NAME. The upstream "selinux-policy-default" package > > installs its dependencies to /etc/selinux/default and its contents > > can > > be viewed here: http://pastebin.com/8fXvdFUA > > > > Is there a variable I need to set to have the reference policy > > install > > itself/copy its files following this pattern to > > /etc/selinux/refpolicy? > > The problem is that your "make load" build step fails, as far as I > remember, and that is why you are not getting the policy.29 file in > /etc/selinux/refpolicy. > > Can you try changing the TYPE of the policy in build.conf from > "standard" to "mcs" and perform all the build steps again ? > > Also, please perform the build steps from the development directory > located in your home and not on the installation subdirectory of > /etc/selinux/refpolicy. In addition to using "mcs" instead of "standard" as the policy type, you should revert the following patch if you are using the SELinux tools which comes with Ubuntu: commit 1e0561caed7b90469c037a91ff4739dc24a2de54 Author: Guido Trentalancia Date:???Fri Sep 2 12:58:42 2016 +0200 Avoid using deprecated semodule options (-b or --base) during "make load". Signed-off-by: Guido Trentalancia --- Rules.modular | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- refpolicy-git-06082016-orig/Rules.modular 2016-08-06 21:26:43.257773849 +0200 +++ refpolicy-git-06082016/Rules.modular 2016-09-02 12:36:07.214247080 +0200 @@ -55,7 +55,7 @@ load: $(instpkg) $(appfiles) # created by semanage @echo "Loading configured modules." @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath)) - $(verbose) $(SEMODULE) -s $(NAME) -b $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod)) + $(verbose) $(SEMODULE) -s $(NAME) -i $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod)) ######################################## #