I install centos7 and use targeted policy
But i want to use refpolicy for modifying policy so i did download using following steps1. #git clone https://github.com/TresysTechnology/refpolicy.git
2. #cd refpolicy3. #git submodule init4. #git submodule update5. Change build.conf fileType=mlsNAME = refpolicyMONOLITHIC = y6. #make install-src7. cd /etc/selinux/refpolicy/src/policy/8. #Make load9. #Cd /etc/selinux and Change config fileSELINUX = permissiveSELINUXTYPE = refpolicy10. #touch /.autorelabel11. #Reboot
After desktop is rebooted12. #setenforce 113. ...... permission deny14. #Sestatus....Loaded policy name: targeted ???(refolicy -> targeted)Current mode : enforcing....Mode from config file : error (permission denied)???
What shuoud i do?Helps me...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20161027/5e7f0ee8/attachment.html
Hi.
On Thu, 27/10/2016 at 17.21 +0900, ??? via refpolicy wrote:
> I install centos7 and use targeted policy
>
> But i want to use refpolicy for modifying policy so i did?download
> using?following steps
> 1. #git clone https://github.com/TresysTechnology/refpolicy.git
>
> 2.?#cd refpolicy
> 3. #git submodule init
> 4. #git submodule update
> 5. Change build.conf file
> Type=mls
> NAME = refpolicy
> MONOLITHIC = y
> 6. #make install-src
> 7. cd /etc/selinux/refpolicy/src/policy/
> 8. #Make load
> 9. #Cd /etc/selinux and?Change config file
> SELINUX = permissive
> SELINUXTYPE = refpolicy
> 10. #touch /.autorelabel
> 11. #Reboot
>
> After desktop is rebooted
> 12. #setenforce 1
> 13. ...... permission deny
> 14. #Sestatus
> ....
> Loaded policy name: targeted ???(refolicy -> targeted)
> Current mode : enforcing
> ....
> Mode from config file : error (permission denied)???
>
> What shuoud i do?
> Helps me...?
You should try rebooting in permissive mode by passing the enforcing=0
option before boot (if you are using the "grub" bootloader, press "e"
during boot to edit kernel boot parameters).
On some systems, you might also try editing /etc/selinux/config and
replace "SELINUX=enforcing" with "SELINUX=permissive" (and then
reboot), although that is not guaranteed to work with all systems.
Then once you have booted in permissive mode, you should inspect the
audit log file (usually /var/log/audit.log) for SELinux permission
denials (log lines containing the " denied " string) and from that you
can understand what is going on (SELinux is denying some permissions
needed to run your system).
I hope it helps.
Guido
Hello again.
On Thu, 27/10/2016 at 17.21 +0900, ??? via refpolicy wrote:
> I install centos7 and use targeted policy
>
> But i want to use refpolicy for modifying policy so i did?download
> using?following steps
> 1. #git clone https://github.com/TresysTechnology/refpolicy.git
>
> 2.?#cd refpolicy
> 3. #git submodule init
> 4. #git submodule update
> 5. Change build.conf file
> Type=mls
> NAME = refpolicy
> MONOLITHIC = y
> 6. #make install-src
Also, remember the correct sequence is:
# (make conf)
# make install-src
# make policy
# make install
# make load
in the Reference Policy directory.
> 7. cd /etc/selinux/refpolicy/src/policy/
> 8. #Make load
I think step 7 is wrong.
> 9. #Cd /etc/selinux and?Change config file
> SELINUX = permissive
> SELINUXTYPE = refpolicy
> 10. #touch /.autorelabel
You can also relabel from the Reference Policy directory by issuing:
# make relabel
after you have installed the new policy.
> 11. #Reboot
>
> After desktop is rebooted
> 12. #setenforce 1
> 13. ...... permission deny
> 14. #Sestatus
> ....
> Loaded policy name: targeted ???(refolicy -> targeted)
> Current mode : enforcing
> ....
> Mode from config file : error (permission denied)???
>
> What shuoud i do?
> Helps me...?
From: "Jae-yong, Ko"<diana4mond at naver.com>
To: "Guido Trentalancia"<guido at trentalancia.net>; <refpolicy at oss.tresys.com>;
Thanks for your help
it's taken me so long to write.
i'm trying to do to your steps but i'm faced with unexpected errors
fisrt, make relabel
some of statements in file_contexts and file_contexts.homedirs files make invalid context error likes
[root at localhost policy]# make relabel
Traceback (most recent call last):
File "support/policyvers.py", line 3, in <module>
import selinux
File "/usr/lib64/python2.7/site-packages/selinux/__init__.py", line 519, in <module>
SELABEL_CTX_ANDROID_SERVICE = _selinux.SELABEL_CTX_ANDROID_SERVICE
AttributeError: 'module' object has no attribute 'SELABEL_CTX_ANDROID_SERVICE'
Relabeling filesystem types: btrfs ext2 ext3 ext4 xfs jfs
/sbin/setfiles /etc/selinux/refpolicy/contexts/files/file_contexts / /boot
/etc/selinux/refpolicy/contexts/files/file_contexts.homedirs: line 193 has invalid context root:object_r:evolution_home_t:s0
/etc/selinux/refpolicy/contexts/files/file_contexts.homedirs: line 198 has invalid context root:object_r:mozilla_plugin_home_t:s0
/etc/selinux/refpolicy/contexts/files/file_contexts.homedirs: line 201 has invalid context root:object_r:mozilla_plugin_home_t:s0
/etc/selinux/refpolicy/contexts/files/file_contexts.homedirs: line 202 has invalid context root:object_r:mozilla_plugin_home_t:s0
/etc/selinux/refpolicy/contexts/files/file_contexts.homedirs: line 207 has invalid context root:object_r:mozilla_plugin_home_t:s0
/etc/selinux/refpolicy/contexts/files/file_contexts.homedirs: line 208 has invalid context root:object_r:gnome_keyring_home_t:s0
/etc/selinux/refpolicy/contexts/files/file_contexts.homedirs: line 210 has invalid context root:object_r:syncthing_config_home_t:s0
/etc/selinux/refpolicy/contexts/files/file_contexts.homedirs: line 220 has invalid context root:object_r:ppp_home_t:s0
/etc/selinux/refpolicy/contexts/files/file_contexts.homedirs: line 238 has invalid context root:object_r:oidentd_home_t:s0
filespec_add: conflicting specifications for /usr/sbin/mkfs.ext2 and /usr/sbin/mke2fs, using system_u:object_r:bin_t:s0.
filespec_add: conflicting specifications for /usr/sbin/mkfs.ext4 and /usr/sbin/mkfs.ext2, using system_u:object_r:bin_t:s0.
filespec_add: conflicting specifications for /usr/sbin/fsck.ext2 and /usr/sbin/e2fsck, using system_u:object_r:bin_t:s0.
filespec_add: conflicting specifications for /usr/sbin/fsck.ext3 and /usr/sbin/fsck.ext2, using system_u:object_r:bin_t:s0.
filespec_add: conflicting specifications for /usr/sbin/fsck.ext4 and /usr/sbin/fsck.ext3, using system_u:object_r:bin_t:s0.
filespec_add: conflicting specifications for /usr/sbin/mkfs.ext3 and /usr/sbin/mkfs.ext4, using system_u:object_r:bin_t:s0.
To avoid this errors, i attached '#' symbol to lines that generate errors in /etc/selinux/refpolicy/contexts/files/file_contexts and file_context.homedirs
there are 538 invalid contexts in file_contexts file,, and 49 invalid contexts errors in file_contexts.homedirs
after make relabel
[root at localhost policy]# make relabel
Traceback (most recent call last):
File "support/policyvers.py", line 3, in <module>
import selinux
File "/usr/lib64/python2.7/site-packages/selinux/__init__.py", line 519, in <module>
SELABEL_CTX_ANDROID_SERVICE = _selinux.SELABEL_CTX_ANDROID_SERVICE
AttributeError: 'module' object has no attribute 'SELABEL_CTX_ANDROID_SERVICE'
Relabeling filesystem types: btrfs ext2 ext3 ext4 xfs jfs
/sbin/setfiles /etc/selinux/refpolicy/contexts/files/file_contexts / /boot
filespec_add: conflicting specifications for /usr/sbin/mkfs.ext2 and /usr/sbin/mke2fs, using system_u:object_r:bin_t:s0.
filespec_add: conflicting specifications for /usr/sbin/mkfs.ext4 and /usr/sbin/mkfs.ext2, using system_u:object_r:bin_t:s0.
filespec_add: conflicting specifications for /usr/sbin/fsck.ext2 and /usr/sbin/e2fsck, using system_u:object_r:bin_t:s0.
filespec_add: conflicting specifications for /usr/sbin/fsck.ext3 and /usr/sbin/fsck.ext2, using system_u:object_r:bin_t:s0.
filespec_add: conflicting specifications for /usr/sbin/fsck.ext4 and /usr/sbin/fsck.ext3, using system_u:object_r:bin_t:s0.
filespec_add: conflicting specifications for /usr/sbin/mkfs.ext3 and /usr/sbin/mkfs.ext4, using system_u:object_r:bin_t:s0.
and Reboot. As a result, boots into emergency mode........................ Is it right condition in refpolicy?
Second, i think that i found some errors in policy.conf
there are no declaration about following types :
type tftp_conf_t;
type djbdns_tinydn_t;
type xdm_spool_t;
type dspam_tmp_t;
type cfengine_var_log_t;
type ccs_conf_t;
type httpd_cobbler_content_t;
type httpd_cobbler_content_ra_t;
type httpd_cobbler_content_rw_t;
type cupsd_spool_t;
type firewall_etc_rw_t;
type mandb_cache_t;
type rpm_cache_t;
type smbd_spool_t;
type sssd_log_t;
This types was used in av rules or te rules in policy.conf file for monolithic policy but there are no declarations about them.
And i think there are some errors base.conf file in refpolicy for loadable policy. i guess some alias keyword is not working in base.conf in the process of binary translation
and i found typing error in /refpolicy/src/policy/policy/modules/contrib/apache.if
httpd_user_content_ra_t and httpd_user_content_rw_t is actually declared to httpd_user_ra_content_t, httpd_user_rw_content_t in /refpolicy/src/policy/policy/modules/contrib/apache.te
So, the sum of types, attributes and aliases differs to the number of entries on type hash table.
I wonder that it is intended.
Third,
In Make load,
Installing file_contexts.
install -m 0644 file_contexts /etc/selinux/refpolicy/contexts/files/file_contexts
install -m 0644 homedir_template /etc/selinux/refpolicy/contexts/files/homedir_template
umask 022 ; python -E support/genhomedircon -d /etc/selinux -t refpolicy
The user "staff_u" is not present in the passwd file, skipping...
The user "sysadm_u" is not present in the passwd file, skipping...
The user "unconfined_u" is not present in the passwd file, skipping...
egrep '^[[:blank:]]*type .*customizable' policy.conf | cut -d';' -f1 | cut -d',' -f1 | cut -d' ' -f2 | LC_ALL=C sort -u > tmp/customizable_types
install -m 0644 tmp/customizable_types /etc/selinux/refpolicy/contexts/customizable_types
Loading refpolicy /etc/selinux/refpolicy/policy/policy.30
/usr/sbin/load_policy -q /etc/selinux/refpolicy/policy/policy.30
i logged load_policy.c in libselinux process using printf
libselinux>load_policy.c>selinux_mkload_policy function>
libselinux>load_policy.c>/etc/selinux/targeted/policy/policy.30
Makefile is load /etc/selinux/refpolicy/policy/policy.30
but actually loaded /etc/selinux/targeted/policy/policy.30
if i want to load refpolicy, what is ways to load refpolicy?
-----Original Message-----
From: "Guido Trentalancia"<guido at trentalancia.net>
To: "jaeyong, ko"<diana4mond at naver.com>; <refpolicy at oss.tresys.com>;
Cc:
Sent: 2016-10-30 (?) 06:22:37
Subject: Re: [refpolicy] I want to use refpolicy in centos 7
Hello again.
On Thu, 27/10/2016 at 17.21 +0900, ??? via refpolicy wrote:
> I install centos7 and use targeted policy
>
> But i want to use refpolicy for modifying policy so i did download
> using following steps
> 1. #git clone https://github.com/TresysTechnology/refpolicy.git
>
> 2. #cd refpolicy
> 3. #git submodule init
> 4. #git submodule update
> 5. Change build.conf file
> Type=mls
> NAME = refpolicy
> MONOLITHIC = y
> 6. #make install-src
Also, remember the correct sequence is:
# (make conf)
# make install-src
# make policy
# make install
# make load
in the Reference Policy directory.
> 7. cd /etc/selinux/refpolicy/src/policy/
> 8. #Make load
I think step 7 is wrong.
> 9. #Cd /etc/selinux and Change config file
> SELINUX = permissive
> SELINUXTYPE = refpolicy
> 10. #touch /.autorelabel
You can also relabel from the Reference Policy directory by issuing:
# make relabel
after you have installed the new policy.
> 11. #Reboot
>
> After desktop is rebooted
> 12. #setenforce 1
> 13. ...... permission deny
> 14. #Sestatus
> ....
> Loaded policy name: targeted ???(refolicy -> targeted)
> Current mode : enforcing
> ....
> Mode from config file : error (permission denied)???
>
> What shuoud i do?
> Helps me...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20161107/47e62700/attachment-0001.html