My purpose is to customize SELinux policies for my own daemon. I want to create new user, role, type on my system. I thought I'll need policy sources to achieve the recompilation, so I start from refpolicy. On my box the directories you indicated are created automatically, so I think there're other problems. I've updated policy toolchain: selinux-policy-2.3.13-5 libselinux-1.30.3-4.fc5 selinux-policy-strict-2.3.13-5 libsepol-1.12.26-1 libsemanage-1.6.16-2 policycoreutils-1.30.29-1 checkpolicy-1.30.9-1.1 My refpolicy/src/policy/build.conf: TYPE=strict-mcs NAME=refpolicy DISTRO=redhat DIRECT_INITRC=y MONOLITHIC=n After the update, I re-compiled refpolicy source and got the following errors libsepol.mls_read_range_helper: truncated range libsepol.sepol_module_package_read: invalid module in module package (at section 0) libsemanage.semanage_load_module: Error while reading from module file /etc/selinux/refpolicy/modules/tmp/base.pp. /usr/sbin/semodule: Failed! make: *** [load] Error 1 The directory tmp exists, but the file base.pp doesn't. I need help here. Thank you so much :) Benjamin -----Original Message----- From: Stephen Smalley [mailto:sds@xxxxxxxxxxxxx] Sent: Tuesday, September 12, 2006 9:01 PM To: Christopher J. PeBenito Cc: Daniel J Walsh; Karl MacMillan; Joshua Brindle; Benjamin Tsai; fedora-selinux-list@xxxxxxxxxx Subject: RE: How to apply new policy exactly? On Tue, 2006-09-12 at 08:14 -0400, Christopher J. PeBenito wrote: > On Tue, 2006-09-12 at 10:38 +0800, Benjamin Tsai wrote: > > Thank you for the clarification. I have reconfigured selinux/config > > and recompile policy as the way I did it yesterday, but now I got > > another error like this > > > > libsemanage.semanage_install_active: Could not > > copy /etc/selinux/refpolicy/modules/active/policy.kern > > to /etc/selinux/refpolicy/policy/policy.20. > > mkdir -p /etc/selinux/refpolicy/policy Also mkdir -p /etc/selinux/refpolicy/contexts/files It would be nice if libsemanage did the equivalent automatically if they don't exist. However, I'm not clear that Benjamin is on the right path here. What is it that you actually want to achieve? Why are you installing upstream refpolicy? And what exact refpolicy are you installing - the 20060307 release or the current svn trunk? And what are the rest of your build.conf options - you only mentioned the DISTRO=redhat one, but Fedora customizes other settings as well, like DIRECT_INITRC=y, and it builds modular (MONOLITHIC=n) policy for FC5 and later. You also likely want the TYPE= to include the -mcs suffix so that your on-disk file contexts are compatible, particularly since some packages are now using semanage with local file contexts. FC5 already uses refpolicy as its basis for building its targeted and strict policy packages, so I'm not sure what you hope to gain by building directly from the upstream refpolicy. Last I looked though, strict policy was broken in FC5 because it was modular w/o the newer libsepol/checkpolicy that supported optionals-in-base (take 2). Dan, is that still the case? You either need libsepol >= 1.12.18 and checkpolicy >= 1.30.8 or a strict policy that puts everything into base. If you are trying to build a strict policy that works on FC5, I think you need a newer policy toolchain (either from upstream svn or the Fedora devel tree). You could try just updating to the devel versions of libsepol, checkpolicy, libselinux, libsemanage, and policycoreutils, and then installing the devel version of selinux-policy-strict. Then you don't need to build upstream refpolicy yourself. Even if you want to build upstream refpolicy yourself, I think you'll need the newer policy toolchain unless you collapse everything into the base module. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
