Re: Switching to monolithic policy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 08/04/2016 07:06 AM, sagivdev@xxxxxxxxx wrote:

Hello all,

I am new to SELinux. my goal is to implement a custom, small policy on an embedded device.
Currently, i have a working modified (narrowed down) policy based on the targeted refpolicy. I use a custom openembedded environment.

My thought was that since I aim to use the policy on an embedded device (so no changes should be made to the policy at all), using a monolithic policy will save space and I could also give up on the managing tools, reducing more space.
I would look at how Android uses SELinux. Their policy might be a better starting point for you as well. 

This link has some information and some other helpful references:
https://source.android.com/security/selinux/
There is a general SELinux mailing list that you can join by sending email to selinux-join@xxxxxxxxxxxxx and the there is an SE for Android list that you can join by sending email to seandroid-list-join@xxxxxxxxxxxxx. 


I am having trouble switching to monolithic policy. I wanted to made sure that the errors was not resulting from my specific rules, so i reverted for now to the regular targeted refpolicy that arrives with the openembedded SELinux meta. This is the resulting error:

| Creating targeted policy.conf
| Compiling targeted policy.29
| policy/modules/roles/sysadm.te:78:ERROR 'duplicate role transition for (sysadm_r,abrt_initrc_exec_t,process)' at token ';' on line 2454354:
| #line 78
|                       role_transition sysadm_r abrt_initrc_exec_t system_r;
| checkpolicy:  error(s) encountered while parsing configuration
| /lte/sagivde/local_views/sagivde_selinux_policy_1/vobs/le920/apps_proc/oe-core/build/tmp-glibc/sysroots/x86_64-linux/usr/bin/checkpolicy:  loading policy configuration from policy.conf
| make: *** [policy.29] Error 1

If I comment out the above rule a different error occurs, and this happens for again for the next error and so on..

my questions are:
1. Is moving to monolithic policy really a good choice in my case? (reduce memory consumption and disk space)
2. If so - how can i solve the above error?

Thanks,
Sagiv.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx




--
James Carter <jwcart2@xxxxxxxxxxxxx>
National Security Agency
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux