From: rfkrocktk@gmail.com (Naftuli Kay) Date: Tue, 21 Feb 2017 21:35:49 -0800 Subject: [refpolicy] Install Directory for Reference Policy? In-Reply-To: <3F2071EC-F998-474F-9BF5-D21F7AE58705@trentalancia.net> References: <1485809725.14345.4.camel@trentalancia.net> <1485872391.14345.7.camel@trentalancia.net> <3F2071EC-F998-474F-9BF5-D21F7AE58705@trentalancia.net> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Yes, I believe that I'll have to do some work to compile the userspace utilities and package them for my distribution. Thanks, - Naftuli Kay On Tue, Feb 7, 2017 at 2:52 PM, Guido Trentalancia via refpolicy < refpolicy@oss.tresys.com> wrote: > Hello. > > You have surely done well to revert the patch that I told you, because the > SELinux tools that you are using are based on an obsolete syntax. > > However, I believe that your policy has not been loaded, because of the > additional errors that you quoted. > > The sestatus tool is just a very simple program that reads your SELinux > configuration file and prints out the name of the policy that you have > configured there... It is very limited. > > What matters is that semodule failed to load your new policy. > > It might be due to obsolete or incompatible versions of the tools and the > libraries. Either you spend time to fully debug the problem or you try the > latest SELinux tools and libraries. > > I hope this helps. > > Regards, > > Guido > > On the 6th of February 2017 04:53:30 CET, Naftuli Kay > wrote: > >I have reverted that and I think that it is finally running as > >expected, but I'm getting more errors: > > > >Can not stat: > >/etc/selinux/refpolicy/contexts/files/file_contexts.local: > >No such file or directory > >libsemanage.sefcontext_compile: sefcontext_compile returned error code > >1. Compiling /etc/selinux/refpolicy/contexts/files/file_contexts.local > >libsemanage.semanage_install_active: Could not copy > >/etc/selinux/refpolicy/modules/active/file_contexts.homedirs to > >/etc/selinux/refpolicy/contexts/files/file_contexts.homedirs. (No such > >file or directory). > >/usr/sbin/semodule: Failed! > >Rules.modular:56: recipe for target 'load' failed > >make: *** [load] Error 1 > > > >However, refpolicy is FINALLY loaded: > > > >SELinux status: enabled > >SELinuxfs mount: /sys/fs/selinux > >SELinux root directory: /etc/selinux > >Loaded policy name: refpolicy > >Current mode: permissive > >Mode from config file: permissive > >Policy MLS status: disabled > >Policy deny_unknown status: denied > >Max kernel policy version: 30 > > > >Hooray! How can I fix these other build problems? I'm on the latest > >stable release: 2.20170204. > > > >If these are simply Makefile issues, I might patch in to cover the > >Ubuntu edge-case of semodule -b. > > > >Thanks, > > - Naftuli Kay > > > > > >On Tue, Jan 31, 2017 at 6:19 AM, Guido Trentalancia via refpolicy > > wrote: > >> On Mon, 30/01/2017 at 21.55 +0100, Guido Trentalancia via refpolicy > >> wrote: > >>> Hello again. > >>> > >>> On Mon, 16/01/2017 at 20.24 -0800, Naftuli Kay via refpolicy wrote: > >>> > > >>> > I'm on Ubuntu 16.04 and I've just compiled the reference policy > >>> > via: > >>> > > >>> > git clone https://github.com/TresysTechnology/refpolicy.git > >>> > cd refpolicy > >>> > git submodule init > >>> > git submodule update > >>> > git checkout RELEASE_2_20161023 > >>> > ( cd policy/modules/contrib && git checkout RELEASE_2_20161023 ) > >>> > make conf > >>> > make install > >>> > > >>> > My build.conf looks like this: > >>> > > >>> > TYPE = standard > >>> > NAME = refpolicy > >>> > DISTRO = debian > >>> > UNK_PERMS = deny > >>> > DIRECT_INITRC = n > >>> > SYSTEMD = y > >>> > MONOLITHIC = n > >>> > UBAC = y > >>> > CUSTOM_BUILDOPT = > >>> > MLS_SENS = 16 > >>> > MLS_CATS = 1024 > >>> > MCS_CATS = 1024 > >>> > QUIET = n > >>> > > >>> > Pretty normal stuff. > >>> > > >>> > Unfortunately, though it properly loads at the time of "make > >>> > install," > >>> > it isn't installed into the expected directory by my distro. > >>> > >>> You shouldn't worry about the installation directory. The path that > >>> is > >>> being used should be fine. Part of the policy goes under > >/etc/selinux > >>> and part goes under /usr/share/selinux. > >>> > >>> > > >>> > Apparently, Ubuntu wants the binary files to be located at > >>> > /etc/selinux/$NAME. The upstream "selinux-policy-default" package > >>> > installs its dependencies to /etc/selinux/default and its contents > >>> > can > >>> > be viewed here: http://pastebin.com/8fXvdFUA > >>> > > >>> > Is there a variable I need to set to have the reference policy > >>> > install > >>> > itself/copy its files following this pattern to > >>> > /etc/selinux/refpolicy? > >>> > >>> The problem is that your "make load" build step fails, as far as I > >>> remember, and that is why you are not getting the policy.29 file in > >>> /etc/selinux/refpolicy. > >>> > >>> Can you try changing the TYPE of the policy in build.conf from > >>> "standard" to "mcs" and perform all the build steps again ? > >>> > >>> Also, please perform the build steps from the development directory > >>> located in your home and not on the installation subdirectory of > >>> /etc/selinux/refpolicy. > >> > >> In addition to using "mcs" instead of "standard" as the policy type, > >> you should revert the following patch if you are using the SELinux > >> tools which comes with Ubuntu: > >> > >> commit 1e0561caed7b90469c037a91ff4739dc24a2de54 > >> Author: Guido Trentalancia > >> Date: Fri Sep 2 12:58:42 2016 +0200 > >> > >> Avoid using deprecated semodule options (-b or --base) during "make > >> load". > >> > >> Signed-off-by: Guido Trentalancia > >> --- > >> Rules.modular | 2 +- > >> 1 file changed, 1 insertion(+), 1 deletion(-) > >> > >> --- refpolicy-git-06082016-orig/Rules.modular 2016-08-06 > >21:26:43.257773849 +0200 > >> +++ refpolicy-git-06082016/Rules.modular 2016-09-02 > >12:36:07.214247080 +0200 > >> @@ -55,7 +55,7 @@ load: $(instpkg) $(appfiles) > >> # created by semanage > >> @echo "Loading configured modules." > >> @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath)) > >> - $(verbose) $(SEMODULE) -s $(NAME) -b $(modpkgdir)/$(notdir > >$(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod)) > >> + $(verbose) $(SEMODULE) -s $(NAME) -i $(modpkgdir)/$(notdir > >$(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod)) > >> > >> ######################################## > >> # > >> _______________________________________________ > >> refpolicy mailing list > >> refpolicy at oss.tresys.com > >> http://oss.tresys.com/mailman/listinfo/refpolicy > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20170221/a9b56d8e/attachment.html