On 08/04/2016 01:06 PM, sagivdev@xxxxxxxxx wrote: > Hello all, > > I am new to SELinux. my goal is to implement a custom, small policy on an embedded device. > Currently, i have a working modified (narrowed down) policy based on the targeted refpolicy. I use a custom openembedded environment. > > My thought was that since I aim to use the policy on an embedded device (so no changes should be made to the policy at all), using a monolithic policy will save space and I could also give up on the managing tools, reducing more space. > I believe it is a correct assumption to go with a monolithic policy for your embedded device. I would also think that you don't need to have policies from the contrib repository (I don't think that ABRT policy is needed for your embedded for example). Maybe you could just go with policies from refpolicy-base. > I am having trouble switching to monolithic policy. I wanted to made sure that the errors was not resulting from my specific rules, so i reverted for now to the regular targeted refpolicy that arrives with the openembedded SELinux meta. This is the resulting error: > > | Creating targeted policy.conf > | Compiling targeted policy.29 > | policy/modules/roles/sysadm.te:78:ERROR 'duplicate role transition for (sysadm_r,abrt_initrc_exec_t,process)' at token ';' on line 2454354: > | #line 78 > | role_transition sysadm_r abrt_initrc_exec_t system_r; > | checkpolicy: error(s) encountered while parsing configuration > | /lte/sagivde/local_views/sagivde_selinux_policy_1/vobs/le920/apps_proc/oe-core/build/tmp-glibc/sysroots/x86_64-linux/usr/bin/checkpolicy: loading policy configuration from policy.conf > | make: *** [policy.29] Error 1 > > If I comment out the above rule a different error occurs, and this happens for again for the next error and so on.. > > my questions are: > 1. Is moving to monolithic policy really a good choice in my case? (reduce memory consumption and disk space) > 2. If so - how can i solve the above error? > > Thanks, > Sagiv. > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx > -- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
