From: guido@trentalancia.net (Guido Trentalancia) Date: Tue, 07 Feb 2017 23:52:10 +0100 Subject: [refpolicy] Install Directory for Reference Policy? In-Reply-To: References: <1485809725.14345.4.camel@trentalancia.net> <1485872391.14345.7.camel@trentalancia.net> Message-ID: <3F2071EC-F998-474F-9BF5-D21F7AE58705@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello. You have surely done well to revert the patch that I told you, because the SELinux tools that you are using are based on an obsolete syntax. However, I believe that your policy has not been loaded, because of the additional errors that you quoted. The sestatus tool is just a very simple program that reads your SELinux configuration file and prints out the name of the policy that you have configured there... It is very limited. What matters is that semodule failed to load your new policy. It might be due to obsolete or incompatible versions of the tools and the libraries. Either you spend time to fully debug the problem or you try the latest SELinux tools and libraries. I hope this helps. Regards, Guido On the 6th of February 2017 04:53:30 CET, Naftuli Kay wrote: >I have reverted that and I think that it is finally running as >expected, but I'm getting more errors: > >Can not stat: >/etc/selinux/refpolicy/contexts/files/file_contexts.local: >No such file or directory >libsemanage.sefcontext_compile: sefcontext_compile returned error code >1. Compiling /etc/selinux/refpolicy/contexts/files/file_contexts.local >libsemanage.semanage_install_active: Could not copy >/etc/selinux/refpolicy/modules/active/file_contexts.homedirs to >/etc/selinux/refpolicy/contexts/files/file_contexts.homedirs. (No such >file or directory). >/usr/sbin/semodule: Failed! >Rules.modular:56: recipe for target 'load' failed >make: *** [load] Error 1 > >However, refpolicy is FINALLY loaded: > >SELinux status: enabled >SELinuxfs mount: /sys/fs/selinux >SELinux root directory: /etc/selinux >Loaded policy name: refpolicy >Current mode: permissive >Mode from config file: permissive >Policy MLS status: disabled >Policy deny_unknown status: denied >Max kernel policy version: 30 > >Hooray! How can I fix these other build problems? I'm on the latest >stable release: 2.20170204. > >If these are simply Makefile issues, I might patch in to cover the >Ubuntu edge-case of semodule -b. > >Thanks, > - Naftuli Kay > > >On Tue, Jan 31, 2017 at 6:19 AM, Guido Trentalancia via refpolicy > wrote: >> On Mon, 30/01/2017 at 21.55 +0100, Guido Trentalancia via refpolicy >> wrote: >>> Hello again. >>> >>> On Mon, 16/01/2017 at 20.24 -0800, Naftuli Kay via refpolicy wrote: >>> > >>> > I'm on Ubuntu 16.04 and I've just compiled the reference policy >>> > via: >>> > >>> > git clone https://github.com/TresysTechnology/refpolicy.git >>> > cd refpolicy >>> > git submodule init >>> > git submodule update >>> > git checkout RELEASE_2_20161023 >>> > ( cd policy/modules/contrib && git checkout RELEASE_2_20161023 ) >>> > make conf >>> > make install >>> > >>> > My build.conf looks like this: >>> > >>> > TYPE = standard >>> > NAME = refpolicy >>> > DISTRO = debian >>> > UNK_PERMS = deny >>> > DIRECT_INITRC = n >>> > SYSTEMD = y >>> > MONOLITHIC = n >>> > UBAC = y >>> > CUSTOM_BUILDOPT = >>> > MLS_SENS = 16 >>> > MLS_CATS = 1024 >>> > MCS_CATS = 1024 >>> > QUIET = n >>> > >>> > Pretty normal stuff. >>> > >>> > Unfortunately, though it properly loads at the time of "make >>> > install," >>> > it isn't installed into the expected directory by my distro. >>> >>> You shouldn't worry about the installation directory. The path that >>> is >>> being used should be fine. Part of the policy goes under >/etc/selinux >>> and part goes under /usr/share/selinux. >>> >>> > >>> > Apparently, Ubuntu wants the binary files to be located at >>> > /etc/selinux/$NAME. The upstream "selinux-policy-default" package >>> > installs its dependencies to /etc/selinux/default and its contents >>> > can >>> > be viewed here: http://pastebin.com/8fXvdFUA >>> > >>> > Is there a variable I need to set to have the reference policy >>> > install >>> > itself/copy its files following this pattern to >>> > /etc/selinux/refpolicy? >>> >>> The problem is that your "make load" build step fails, as far as I >>> remember, and that is why you are not getting the policy.29 file in >>> /etc/selinux/refpolicy. >>> >>> Can you try changing the TYPE of the policy in build.conf from >>> "standard" to "mcs" and perform all the build steps again ? >>> >>> Also, please perform the build steps from the development directory >>> located in your home and not on the installation subdirectory of >>> /etc/selinux/refpolicy. >> >> In addition to using "mcs" instead of "standard" as the policy type, >> you should revert the following patch if you are using the SELinux >> tools which comes with Ubuntu: >> >> commit 1e0561caed7b90469c037a91ff4739dc24a2de54 >> Author: Guido Trentalancia >> Date: Fri Sep 2 12:58:42 2016 +0200 >> >> Avoid using deprecated semodule options (-b or --base) during "make >> load". >> >> Signed-off-by: Guido Trentalancia >> --- >> Rules.modular | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> --- refpolicy-git-06082016-orig/Rules.modular 2016-08-06 >21:26:43.257773849 +0200 >> +++ refpolicy-git-06082016/Rules.modular 2016-09-02 >12:36:07.214247080 +0200 >> @@ -55,7 +55,7 @@ load: $(instpkg) $(appfiles) >> # created by semanage >> @echo "Loading configured modules." >> @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath)) >> - $(verbose) $(SEMODULE) -s $(NAME) -b $(modpkgdir)/$(notdir >$(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod)) >> + $(verbose) $(SEMODULE) -s $(NAME) -i $(modpkgdir)/$(notdir >$(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod)) >> >> ######################################## >> # >> _______________________________________________ >> refpolicy mailing list >> refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy