Hi Richard ,
Thanks for sharing the inputs .
Will try the monolithic suggestion & share the observation
- This system doesn't have any selinux policy running .
So i am adding the refpolicy to sdk rootfs
- I tried some further debugging & can confirm below discrepancy as
mentioned in ( point-4 ) below with PKG=refpolicy &
ROOT=/tmp/custom-embedded-rootfs
1) The task of MAKE INSTALL-SRC is properly executed at required
/tmp/custom-embedded-rootfs/etc/selinux/refpolicy/src/policy properly
${MAKE} -C ${PKG} install-src DESTDIR=${ROOT}
2) Does the task of MAKE CONFIG is properly executed at required
/tmp/custom-embedded-rootfs/etc/selinux/refpolicy/src/policy properly
${MAKE} -C ${ROOT}/etc/selinux/${PKG}/src/policy conf DESTDIR=${ROOT}
3) The task till copying *.pp files to
/tmp/custom-embedded-rootfs/usr/share/selinux/refpolicy/ is proper
4) Further debugging I can confirm that the final binary (policy.31)
seems to be
using HARD-CODDED location of /etc/selinux instead of what is
being passed as DESTDIR.
The policy.31 is created not at custom-embedded-rootfs location.
Due to this :
- policy.31 is created in /etc/selinux/refpolicy/policy/policy.31
instead of what i was expecting at
/tmp/custom-embedded-rootfs/etc/selinux/refpolicy/policy/policy.31
as DESTDIR=${ROOT} and i do get *.pp at the expected
location of /tmp/custom-embedded-rootfs/etc/selinux/refpolicy/src/policy
${MAKE} -C ${ROOT}/etc/selinux/${PKG}/src/policy load
DESTDIR=${ROOT}
Will try the pointers you suggested .
Please do let me know if any input / suggestion / feedback on (
point-4 ) above.
Apologies if i am missing any obvious / well-known aspect of selinux
refolicy project here.
Thanks ,
Ashish
<richard_c_haines@xxxxxxxxxxxxxx> wrote:
>
> On Mon, 2020-12-07 at 06:51 +0530, Ashish Mishra wrote:
> > Hi Richard ,
> >
> > 1) There are approx 426 *.pp files being created under
> > /usr/share/selinux/refpolicy
> > Attached is the log , which contains the list of files .
> >
> > 2) I can confirm the stages till semodule
> >
> > 3) This is a custom Linux SDK 4.x series BSP on which i am trying to
> > get the refpolicy
> > installed .
> >
> > 4) Any pointers to verify if make load is happening as expected or
> > https://github.com/SELinuxProject/selinux installation
> > Because i am not observing any error here during make -v .
> >
> > I am trying to look at the probable cause / pointers to debug the
> > missing policy.31 file here.
> > Any inputs will be helpful .
>
> Have you tried building a monolithic policy as this does not use
> semodule (uses checkpolicy). Just change the build.conf 'MONOLITHIC =
> y'
> Building this on a clean system does not build/install the
> /usr/share/selinux/refpolicy modules so quite simple build.
> You could also set 'OUTPUT_POLICY = <ver>' to build a lower version
> binary policy (e.g. 21).
>
> Otherwise (running out of ideas):
> 1) Is this already a working SELinux system (e.g. do you have the
> 'targeted' or 'mls' policy installed)
> 2) When 'make load' gets to semodule, what errors do you see.
> 3) When semodule builds it installs a policy store (default) at
> /var/lib/selinux/refpolicy. Do you have this when you build a modular
> policy ?
>
>
> >
> > Thanks .
> > Ashish
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > On Sun, Dec 6, 2020 at 10:45 PM Richard Haines
> > <richard_c_haines@xxxxxxxxxxxxxx> wrote:
> > >
> > > On Sun, 2020-12-06 at 22:00 +0530, Ashish Mishra wrote:
> > > > Hi Richard ,
> > > >
> > > > Thanks for replying back.
> > > >
> > > > 1) The policy.31 binary is not getting created at:
> > > > /etc/selinux/refpolicy/policy/policy.31
> > > >
> > > > 2) Using the verbose of makefile I can see that the semodule
> > > > command
> > > > is reached .
> > > > But even in verbose mode , I can't see any action / command
> > > > message
> > > > shown for policy.31 being created.
> > > > Hence I am trying to understand how the final policy.31 file
> > > > is
> > > > being created .
> > >
> > > You will not see a reference to 'policy.31' when running semodule.
> > > It
> > > just takes the large list of modules and its store id, the rest is
> > > magic (the default name is 'policy', the version is derived from
> > > the
> > > policy-version= entry in the semanage.conf file or the kernel
> > > default).
> > > It then adds the policy binary file to:
> > >
> > > /etc/selinux/<SELINUXTYPE>/policy/policy.<ver>
> > >
> > > Where <SELINUXTYPE> is the policy store id that should match the
> > > /etc/selinux/config SELINUXTYPE= entry when loading the policy.
> > >
> > > For example when I run 'make -d load' I see (cutdown):
> > >
> > > Loading configured modules.
> > > /usr/sbin/semodule -s refpolicy -i
> > > /usr/share/selinux/refpolicy/base.pp
> > > -i /usr/share/selinux/refpolicy/abrt.pp ......
> > >
> > > BTW what distro/version are you using as I use Fedora 33 that by
> > > default generates an '/etc/selinux/refpolicy/policy/policy.32'
> > > binary
> > > file.
> > >
> > > >
> > > > 3) Below are the files being created under /etc/selinux :
> > > > refpolicy/contexts:
> > > > customizable_types default_type initrc_context
> > > > removable_context userhelper_context virtual_image_context
> > > > dbus_contexts failsafe_context lxc_contexts
> > > > securetty_types users x_contexts
> > > > default_contexts files openrc_contexts
> > > > sepgsql_contexts virtual_domain_context
> > > >
> > > > refpolicy/policy:
> > > My initial thought is that 'make load' is not being called or
> > > something
> > > is wrong with
> > > 'https://github.com/SELinuxProject/selinux' installation
> > >
> > > >
> > > > refpolicy/src:
> > > > policy
> > > >
> > > >
> > > > 4) Below are the files being created under
> > >
> > > Are there any *.pp files under:
> > > /usr/share/selinux/refpolicy
> > >
> > > If not again looks like 'https://github.com/SELinuxProject/selinux'
> > > installation problem checkpolicy/checkmodule ??
> > >
> > > > /usr/share/selinux/refpolicy/include/
> > > > admin apps build.conf global_tunables.xml
> > > > kernel.xml roles services support system.xml
> > > > admin.xml apps.xml global_booleans.xml kernel
> > > > Makefile roles.xml services.xml system
> > > >
> > > > Any pointer of probable aspect which can cause such error as I am
> > > > trying to understand
> > > > how policy.31 binary is created from individual modules
> > > >
> > > > Thanks ,
> > > > Ashish
> > > >
> > > >
> > > >
> > > >
> > > > On Sun, Dec 6, 2020 at 8:59 PM Richard Haines
> > > > <richard_c_haines@xxxxxxxxxxxxxx> wrote:
> > > > >
> > > > > On Sun, 2020-12-06 at 00:49 +0530, Ashish Mishra wrote:
> > > > > > Hi All ,
> > > > > >
> > > > > > Good Morning .
> > > > > >
> > > > > > I am following the SELINUX NOTEBOOK & trying the same at my
> > > > > > end .
> > > > > >
> > > > > > - The refpolicy modules are copied at
> > > > > > /usr/share/selinux/refpolicy
> > > > > > i can see around 400+ modules there .
> > > > > > But can senior member' s please help me understand how is
> > > > > > the
> > > > > > /etc/selinux/refpolicy/policy/policy.31 created using the
> > > > > > modules
> > > > > > available at
> > > > > > /usr/share/selinux
> > > > > > The command i followed :
> > > > > > $ make install-src
> > > > > > $ make conf
> > > > > > $ make load ( tried even $ make install )
> > > > > > $ make install-headers
> > > > > >
> > > > >
> > > > > Just to be clear (as you didn't state whether the binary policy
> > > > > file
> > > > > was built at all), if you run these commands:
> > > > >
> > > > > mkdir refpol
> > > > > cd refpol
> > > > > git clone https://github.com/SELinuxProject/refpolicy.git
> > > > > Edit build.conf file to requirements (e.g. NAME = refpolicy
> > > > > etc.)
> > > > > make install-src
> > > > > cd /etc/selinux/refpolicy/src/policy
> > > > > make conf
> > > > > make load
> > > > > make install-headers
> > > > >
> > > > > The policy binary file should now be created at:
> > > > > /etc/selinux/refpolicy/policy/policy.31 (or .32 if Fedora 33)
> > > > > True ??
> > > > >
> > > > > To add a new module (that will rebuild the binary policy file)
> > > > > you
> > > > > can
> > > > > install the new *.te *.if and *.fc files in a directory and run
> > > > > from
> > > > > that directory (you will need to ensure /etc/selinux/config has
> > > > > SELINUXTYPE=refpolicy set):
> > > > >
> > > > > make -f /usr/share/selinux/refpolicy/include/Makefile load
> > > > >
> > > > > This Makefile basically reads the build.conf file, uses
> > > > > checkmodule
> > > > > to
> > > > > build the *.pp file, then semodule to add to store and build
> > > > > the
> > > > > binary
> > > > > policy (also using the prebuilt
> > > > > /usr/share/selinux/refpolicy/*.pp
> > > > > files).
> > > > >
> > > > > I've just tried this on Fedora 33 with no problems.
> > > > >
> > > > > Note: While running through example this I noticed an error in
> > > > > the
> > > > > Notebook - the Reference policy does not have a contibute
> > > > > section,
> > > > > I'll
> > > > > send patch to remove:
> > > > >
> > > > > Add the contibuted modules (policy/modules/contrib)
> > > > > git submodule init
> > > > > git submodule update
> > > > >
> > > > > >
> > > > > > - This can help me to debug an issue where i am trying to get
> > > > > > selinux
> > > > > > of my custom
> > > > > > distro where all the make command are successfully
> > > > > > executed
> > > > > > but
> > > > > > the policy.31
> > > > > > is not getting created
> > > > > >
> > > > > > - I can even see the "include" folder also getting created
> > > > > > for
> > > > > > make
> > > > > > install-headers
> > > > > >
> > > > > > Any pointers will be helpful or please let me know if i am
> > > > > > missing
> > > > > > any
> > > > > > aspect here .
> > > > > >
> > > > > > Thanks ,
> > > > > > Ashish.
> > > > >
> > > > >
> > >
> > >
>
>
