On Sun, 2020-12-06 at 00:49 +0530, Ashish Mishra wrote: > Hi All , > > Good Morning . > > I am following the SELINUX NOTEBOOK & trying the same at my end . > > - The refpolicy modules are copied at /usr/share/selinux/refpolicy > i can see around 400+ modules there . > But can senior member' s please help me understand how is the > /etc/selinux/refpolicy/policy/policy.31 created using the modules > available at > /usr/share/selinux > The command i followed : > $ make install-src > $ make conf > $ make load ( tried even $ make install ) > $ make install-headers > Just to be clear (as you didn't state whether the binary policy file was built at all), if you run these commands: mkdir refpol cd refpol git clone https://github.com/SELinuxProject/refpolicy.git Edit build.conf file to requirements (e.g. NAME = refpolicy etc.) make install-src cd /etc/selinux/refpolicy/src/policy make conf make load make install-headers The policy binary file should now be created at: /etc/selinux/refpolicy/policy/policy.31 (or .32 if Fedora 33) True ?? To add a new module (that will rebuild the binary policy file) you can install the new *.te *.if and *.fc files in a directory and run from that directory (you will need to ensure /etc/selinux/config has SELINUXTYPE=refpolicy set): make -f /usr/share/selinux/refpolicy/include/Makefile load This Makefile basically reads the build.conf file, uses checkmodule to build the *.pp file, then semodule to add to store and build the binary policy (also using the prebuilt /usr/share/selinux/refpolicy/*.pp files). I've just tried this on Fedora 33 with no problems. Note: While running through example this I noticed an error in the Notebook - the Reference policy does not have a contibute section, I'll send patch to remove: Add the contibuted modules (policy/modules/contrib) git submodule init git submodule update > > - This can help me to debug an issue where i am trying to get selinux > of my custom > distro where all the make command are successfully executed but > the policy.31 > is not getting created > > - I can even see the "include" folder also getting created for make > install-headers > > Any pointers will be helpful or please let me know if i am missing > any > aspect here . > > Thanks , > Ashish.
