Hi Richard , Thanks for replying back. 1) The policy.31 binary is not getting created at: /etc/selinux/refpolicy/policy/policy.31 2) Using the verbose of makefile I can see that the semodule command is reached . But even in verbose mode , I can't see any action / command message shown for policy.31 being created. Hence I am trying to understand how the final policy.31 file is being created . 3) Below are the files being created under /etc/selinux : refpolicy/contexts: customizable_types default_type initrc_context removable_context userhelper_context virtual_image_context dbus_contexts failsafe_context lxc_contexts securetty_types users x_contexts default_contexts files openrc_contexts sepgsql_contexts virtual_domain_context refpolicy/policy: refpolicy/src: policy 4) Below are the files being created under /usr/share/selinux/refpolicy/include/ admin apps build.conf global_tunables.xml kernel.xml roles services support system.xml admin.xml apps.xml global_booleans.xml kernel Makefile roles.xml services.xml system Any pointer of probable aspect which can cause such error as I am trying to understand how policy.31 binary is created from individual modules Thanks , Ashish On Sun, Dec 6, 2020 at 8:59 PM Richard Haines <richard_c_haines@xxxxxxxxxxxxxx> wrote: > > On Sun, 2020-12-06 at 00:49 +0530, Ashish Mishra wrote: > > Hi All , > > > > Good Morning . > > > > I am following the SELINUX NOTEBOOK & trying the same at my end . > > > > - The refpolicy modules are copied at /usr/share/selinux/refpolicy > > i can see around 400+ modules there . > > But can senior member' s please help me understand how is the > > /etc/selinux/refpolicy/policy/policy.31 created using the modules > > available at > > /usr/share/selinux > > The command i followed : > > $ make install-src > > $ make conf > > $ make load ( tried even $ make install ) > > $ make install-headers > > > > Just to be clear (as you didn't state whether the binary policy file > was built at all), if you run these commands: > > mkdir refpol > cd refpol > git clone https://github.com/SELinuxProject/refpolicy.git > Edit build.conf file to requirements (e.g. NAME = refpolicy etc.) > make install-src > cd /etc/selinux/refpolicy/src/policy > make conf > make load > make install-headers > > The policy binary file should now be created at: > /etc/selinux/refpolicy/policy/policy.31 (or .32 if Fedora 33) > True ?? > > To add a new module (that will rebuild the binary policy file) you can > install the new *.te *.if and *.fc files in a directory and run from > that directory (you will need to ensure /etc/selinux/config has > SELINUXTYPE=refpolicy set): > > make -f /usr/share/selinux/refpolicy/include/Makefile load > > This Makefile basically reads the build.conf file, uses checkmodule to > build the *.pp file, then semodule to add to store and build the binary > policy (also using the prebuilt /usr/share/selinux/refpolicy/*.pp > files). > > I've just tried this on Fedora 33 with no problems. > > Note: While running through example this I noticed an error in the > Notebook - the Reference policy does not have a contibute section, I'll > send patch to remove: > > Add the contibuted modules (policy/modules/contrib) > git submodule init > git submodule update > > > > > - This can help me to debug an issue where i am trying to get selinux > > of my custom > > distro where all the make command are successfully executed but > > the policy.31 > > is not getting created > > > > - I can even see the "include" folder also getting created for make > > install-headers > > > > Any pointers will be helpful or please let me know if i am missing > > any > > aspect here . > > > > Thanks , > > Ashish. > >
