From: rfkrocktk@gmail.com (Naftuli Kay) Date: Sun, 5 Feb 2017 19:53:30 -0800 Subject: [refpolicy] Install Directory for Reference Policy? In-Reply-To: <1485872391.14345.7.camel@trentalancia.net> References: <1485809725.14345.4.camel@trentalancia.net> <1485872391.14345.7.camel@trentalancia.net> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com I have reverted that and I think that it is finally running as expected, but I'm getting more errors: Can not stat: /etc/selinux/refpolicy/contexts/files/file_contexts.local: No such file or directory libsemanage.sefcontext_compile: sefcontext_compile returned error code 1. Compiling /etc/selinux/refpolicy/contexts/files/file_contexts.local libsemanage.semanage_install_active: Could not copy /etc/selinux/refpolicy/modules/active/file_contexts.homedirs to /etc/selinux/refpolicy/contexts/files/file_contexts.homedirs. (No such file or directory). /usr/sbin/semodule: Failed! Rules.modular:56: recipe for target 'load' failed make: *** [load] Error 1 However, refpolicy is FINALLY loaded: SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: refpolicy Current mode: permissive Mode from config file: permissive Policy MLS status: disabled Policy deny_unknown status: denied Max kernel policy version: 30 Hooray! How can I fix these other build problems? I'm on the latest stable release: 2.20170204. If these are simply Makefile issues, I might patch in to cover the Ubuntu edge-case of semodule -b. Thanks, - Naftuli Kay On Tue, Jan 31, 2017 at 6:19 AM, Guido Trentalancia via refpolicy wrote: > On Mon, 30/01/2017 at 21.55 +0100, Guido Trentalancia via refpolicy > wrote: >> Hello again. >> >> On Mon, 16/01/2017 at 20.24 -0800, Naftuli Kay via refpolicy wrote: >> > >> > I'm on Ubuntu 16.04 and I've just compiled the reference policy >> > via: >> > >> > git clone https://github.com/TresysTechnology/refpolicy.git >> > cd refpolicy >> > git submodule init >> > git submodule update >> > git checkout RELEASE_2_20161023 >> > ( cd policy/modules/contrib && git checkout RELEASE_2_20161023 ) >> > make conf >> > make install >> > >> > My build.conf looks like this: >> > >> > TYPE = standard >> > NAME = refpolicy >> > DISTRO = debian >> > UNK_PERMS = deny >> > DIRECT_INITRC = n >> > SYSTEMD = y >> > MONOLITHIC = n >> > UBAC = y >> > CUSTOM_BUILDOPT = >> > MLS_SENS = 16 >> > MLS_CATS = 1024 >> > MCS_CATS = 1024 >> > QUIET = n >> > >> > Pretty normal stuff. >> > >> > Unfortunately, though it properly loads at the time of "make >> > install," >> > it isn't installed into the expected directory by my distro. >> >> You shouldn't worry about the installation directory. The path that >> is >> being used should be fine. Part of the policy goes under /etc/selinux >> and part goes under /usr/share/selinux. >> >> > >> > Apparently, Ubuntu wants the binary files to be located at >> > /etc/selinux/$NAME. The upstream "selinux-policy-default" package >> > installs its dependencies to /etc/selinux/default and its contents >> > can >> > be viewed here: http://pastebin.com/8fXvdFUA >> > >> > Is there a variable I need to set to have the reference policy >> > install >> > itself/copy its files following this pattern to >> > /etc/selinux/refpolicy? >> >> The problem is that your "make load" build step fails, as far as I >> remember, and that is why you are not getting the policy.29 file in >> /etc/selinux/refpolicy. >> >> Can you try changing the TYPE of the policy in build.conf from >> "standard" to "mcs" and perform all the build steps again ? >> >> Also, please perform the build steps from the development directory >> located in your home and not on the installation subdirectory of >> /etc/selinux/refpolicy. > > In addition to using "mcs" instead of "standard" as the policy type, > you should revert the following patch if you are using the SELinux > tools which comes with Ubuntu: > > commit 1e0561caed7b90469c037a91ff4739dc24a2de54 > Author: Guido Trentalancia > Date: Fri Sep 2 12:58:42 2016 +0200 > > Avoid using deprecated semodule options (-b or --base) during "make > load". > > Signed-off-by: Guido Trentalancia > --- > Rules.modular | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > --- refpolicy-git-06082016-orig/Rules.modular 2016-08-06 21:26:43.257773849 +0200 > +++ refpolicy-git-06082016/Rules.modular 2016-09-02 12:36:07.214247080 +0200 > @@ -55,7 +55,7 @@ load: $(instpkg) $(appfiles) > # created by semanage > @echo "Loading configured modules." > @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath)) > - $(verbose) $(SEMODULE) -s $(NAME) -b $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod)) > + $(verbose) $(SEMODULE) -s $(NAME) -i $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod)) > > ######################################## > # > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy