Should I be able to build trunk refpolicy with the user roles included in the base module? I can build it with the roles as modules, but if I try building them into base I get /usr/bin/checkmodule -M base.conf -o tmp/base.mod /usr/bin/checkmodule: loading policy configuration from base.conf libsepol.expand_module: Error while indexing out symbols /usr/bin/checkmodule: expand module failed I have refpolicy revision 2669, libsepol 2.0.25, checkpolicy 2.0.12. I have attached the modules.conf I am using, which seems to be the minimum number of things I need to build in to be able to build in roles. -- Martin Orr
# # This file contains a listing of available modules. # To prevent a module from being used in policy # creation, set the module name to "off". # # For monolithic policies, modules set to "base" and "module" # will be built into the policy. # # For modular policies, modules set to "base" will be # included in the base module. "module" will be compiled # as individual loadable modules. # # Layer: kernel # Module: corecommands # Required in base # # Core policy for shells, and generic programs # in /bin, /sbin, /usr/bin, and /usr/sbin. # corecommands = base # Layer: kernel # Module: corenetwork # Required in base # # Policy controlling access to network objects # corenetwork = base # Layer: kernel # Module: devices # Required in base # # Device nodes and interfaces for many basic system devices. # devices = base # Layer: kernel # Module: domain # Required in base # # Core policy for domains. # domain = base # Layer: kernel # Module: files # Required in base # # Basic filesystem types and interfaces. # files = base # Layer: kernel # Module: filesystem # Required in base # # Policy for filesystems. # filesystem = base # Layer: kernel # Module: kernel # Required in base # # Policy for kernel threads, proc filesystem, # and unlabeled processes and objects. # kernel = base # Layer: kernel # Module: mcs # Required in base # # Multicategory security policy # mcs = base # Layer: kernel # Module: mls # Required in base # # Multilevel security policy # mls = base # Layer: kernel # Module: selinux # Required in base # # Policy for kernel security interface, in particular, selinuxfs. # selinux = base # Layer: kernel # Module: terminal # Required in base # # Policy for terminals. # terminal = base # Layer: admin # Module: acct # # Berkeley process accounting # acct = module # Layer: admin # Module: alsa # # Ainit ALSA configuration tool # alsa = module # Layer: admin # Module: amanda # # Automated backup program. # amanda = module # Layer: admin # Module: amtu # # Abstract Machine Test Utility # amtu = module # Layer: admin # Module: anaconda # # Policy for the Anaconda installer. # anaconda = module # Layer: admin # Module: apt # # APT advanced package toll. # apt = module # Layer: admin # Module: backup # # System backup scripts # backup = module # Layer: admin # Module: bootloader # # Policy for the kernel modules, kernel image, and bootloader. # bootloader = module # Layer: admin # Module: brctl # # Utilities for configuring the linux ethernet bridge # brctl = module # Layer: admin # Module: certwatch # # Digital Certificate Tracking # certwatch = module # Layer: admin # Module: consoletype # # Determine of the console connected to the controlling terminal. # consoletype = module # Layer: admin # Module: ddcprobe # # ddcprobe retrieves monitor and graphics card information # ddcprobe = module # Layer: admin # Module: dmesg # # Policy for dmesg. # dmesg = module # Layer: admin # Module: dmidecode # # Decode DMI data for x86/ia64 bioses. # dmidecode = module # Layer: admin # Module: dpkg # # Policy for the Debian package manager. # dpkg = module # Layer: admin # Module: firstboot # # Final system configuration run during the first boot # after installation of Red Hat/Fedora systems. # firstboot = module # Layer: admin # Module: kudzu # # Hardware detection and configuration tools # kudzu = module # Layer: admin # Module: logrotate # # Rotate and archive system logs # logrotate = module # Layer: admin # Module: logwatch # # System log analyzer and reporter # logwatch = module # Layer: admin # Module: mrtg # # Network traffic graphing # mrtg = module # Layer: admin # Module: netutils # # Network analysis utilities # netutils = module # Layer: admin # Module: portage # # Portage Package Management System. The primary package management and # distribution system for Gentoo. # portage = module # Layer: admin # Module: prelink # # Prelink ELF shared library mappings. # prelink = module # Layer: admin # Module: quota # # File system quota management # quota = module # Layer: admin # Module: readahead # # Readahead, read files into page cache for improved performance # readahead = module # Layer: admin # Module: rpm # # Policy for the RPM package manager. # rpm = module # Layer: admin # Module: su # # Run shells with substitute user and group # su = module # Layer: admin # Module: sudo # # Execute a command with a substitute user # sudo = module # Layer: admin # Module: sxid # # SUID/SGID program monitoring # sxid = module # Layer: admin # Module: tmpreaper # # Manage temporary directory sizes and file ages # tmpreaper = module # Layer: admin # Module: tripwire # # Tripwire file integrity checker. # tripwire = module # Layer: admin # Module: tzdata # # Time zone updater # tzdata = module # Layer: admin # Module: updfstab # # Red Hat utility to change /etc/fstab. # updfstab = module # Layer: admin # Module: usbmodules # # List kernel modules of USB devices # usbmodules = module # Layer: admin # Module: usermanage # # Policy for managing user accounts. # usermanage = module # Layer: admin # Module: vbetool # # run real-mode video BIOS code to alter hardware state # vbetool = module # Layer: admin # Module: vpn # # Virtual Private Networking client # vpn = module # Layer: apps # Module: ada # # GNAT Ada95 compiler # ada = module # Layer: apps # Module: authbind # # Tool for non-root processes to bind to reserved ports # authbind = module # Layer: apps # Module: awstats # # AWStats is a free powerful and featureful tool that generates advanced # web, streaming, ftp or mail server statistics, graphically. # awstats = module # Layer: apps # Module: calamaris # # Squid log analysis # calamaris = module # Layer: apps # Module: cdrecord # # Policy for cdrecord # cdrecord = module # Layer: apps # Module: ethereal # # Ethereal packet capture tool. # ethereal = module # Layer: apps # Module: evolution # # Evolution email client # evolution = module # Layer: apps # Module: games # # Games # games = module # Layer: apps # Module: gift # # giFT peer to peer file sharing tool # gift = module # Layer: apps # Module: gnome # # GNU network object model environment (GNOME) # gnome = module # Layer: apps # Module: gpg # # Policy for GNU Privacy Guard and related programs. # gpg = module # Layer: apps # Module: irc # # IRC client policy # irc = module # Layer: apps # Module: java # # Java virtual machine # java = module # Layer: apps # Module: loadkeys # # Load keyboard mappings. # loadkeys = module # Layer: apps # Module: lockdev # # device locking policy for lockdev # lockdev = module # Layer: apps # Module: mono # # Run .NET server and client applications on Linux. # mono = module # Layer: apps # Module: mozilla # # Policy for Mozilla and related web browsers # mozilla = module # Layer: apps # Module: mplayer # # Mplayer media player and encoder # mplayer = module # Layer: apps # Module: rssh # # Restricted (scp/sftp) only shell # rssh = module # Layer: apps # Module: screen # # GNU terminal multiplexer # screen = module # Layer: apps # Module: slocate # # Update database for mlocate # slocate = module # Layer: apps # Module: thunderbird # # Thunderbird email client # thunderbird = module # Layer: apps # Module: tvtime # # tvtime - a high quality television application # tvtime = module # Layer: apps # Module: uml # # Policy for UML # uml = module # Layer: apps # Module: userhelper # # SELinux utility to run a shell with a new role # userhelper = module # Layer: apps # Module: usernetctl # # User network interface configuration helper # usernetctl = module # Layer: apps # Module: vmware # # VMWare Workstation virtual machines # vmware = module # Layer: apps # Module: webalizer # # Web server log analysis # webalizer = module # Layer: apps # Module: wine # # Wine Is Not an Emulator. Run Windows programs in Linux. # wine = module # Layer: apps # Module: wireshark # # Wireshark packet capture tool. # wireshark = module # Layer: apps # Module: yam # # Yum/Apt Mirroring # yam = module # Layer: kernel # Module: storage # # Policy controlling access to storage devices # storage = base # Layer: roles # Module: auditadm # # Audit administrator role # auditadm = module # Layer: roles # Module: secadm # # Security administrator role # secadm = module # Layer: roles # Module: staff # # Administrator's unprivileged user role # staff = base # Layer: roles # Module: sysadm # # General system administration role # sysadm = base # Layer: roles # Module: unprivuser # # Generic unprivileged user role # unprivuser = base # Layer: services # Module: afs # # Andrew Filesystem server # afs = module # Layer: services # Module: aide # # Aide filesystem integrity checker # aide = module # Layer: services # Module: amavis # # Daemon that interfaces mail transfer agents and content # checkers, such as virus scanners. # amavis = module # Layer: services # Module: apache # # Apache web server # apache = module # Layer: services # Module: apcupsd # # APC UPS monitoring daemon # apcupsd = module # Layer: services # Module: apm # # Advanced power management daemon # apm = module # Layer: services # Module: arpwatch # # Ethernet activity monitor. # arpwatch = module # Layer: services # Module: asterisk # # Asterisk IP telephony server # asterisk = module # Layer: services # Module: audioentropy # # Generate entropy from audio input # audioentropy = module # Layer: services # Module: automount # # Filesystem automounter service. # automount = module # Layer: services # Module: avahi # # mDNS/DNS-SD daemon implementing Apple ZeroConf architecture # avahi = module # Layer: services # Module: bind # # Berkeley internet name domain DNS server. # bind = module # Layer: services # Module: bitlbee # # Bitlbee service # bitlbee = module # Layer: services # Module: bluetooth # # Bluetooth tools and system services. # bluetooth = module # Layer: services # Module: canna # # Canna - kana-kanji conversion server # canna = module # Layer: services # Module: ccs # # Cluster Configuration System # ccs = module # Layer: services # Module: cipe # # Encrypted tunnel daemon # cipe = module # Layer: services # Module: clamav # # ClamAV Virus Scanner # clamav = module # Layer: services # Module: clockspeed # # Clockspeed simple network time protocol client # clockspeed = module # Layer: services # Module: comsat # # Comsat, a biff server. # comsat = module # Layer: services # Module: consolekit # # Framework for facilitating multiple user sessions on desktops. # consolekit = module # Layer: services # Module: courier # # Courier IMAP and POP3 email servers # courier = module # Layer: services # Module: cpucontrol # # Services for loading CPU microcode and CPU frequency scaling. # cpucontrol = module # Layer: services # Module: cron # # Periodic execution of scheduled commands. # cron = module # Layer: services # Module: cups # # Common UNIX printing system # cups = module # Layer: services # Module: cvs # # Concurrent versions system # cvs = module # Layer: services # Module: cyrus # # Cyrus is an IMAP service intended to be run on sealed servers # cyrus = module # Layer: services # Module: dante # # Dante msproxy and socks4/5 proxy server # dante = module # Layer: services # Module: dbskk # # Dictionary server for the SKK Japanese input method system. # dbskk = module # Layer: services # Module: dbus # # Desktop messaging bus # dbus = module # Layer: services # Module: dcc # # Distributed checksum clearinghouse spam filtering # dcc = module # Layer: services # Module: ddclient # # Update dynamic IP address at DynDNS.org # ddclient = module # Layer: services # Module: dhcp # # Dynamic host configuration protocol (DHCP) server # dhcp = module # Layer: services # Module: dictd # # Dictionary daemon # dictd = module # Layer: services # Module: distcc # # Distributed compiler daemon # distcc = module # Layer: services # Module: djbdns # # small and secure DNS daemon # djbdns = module # Layer: services # Module: dnsmasq # # dnsmasq DNS forwarder and DHCP server # dnsmasq = module # Layer: services # Module: dovecot # # Dovecot POP and IMAP mail server # dovecot = module # Layer: services # Module: exim # # Exim mail transfer agent # exim = module # Layer: services # Module: fail2ban # # Update firewall filtering to ban IP addresses with too many password failures. # fail2ban = module # Layer: services # Module: fetchmail # # Remote-mail retrieval and forwarding utility # fetchmail = module # Layer: services # Module: finger # # Finger user information service. # finger = module # Layer: services # Module: ftp # # File transfer protocol service # ftp = module # Layer: services # Module: gatekeeper # # OpenH.323 Voice-Over-IP Gatekeeper # gatekeeper = module # Layer: services # Module: gpm # # General Purpose Mouse driver # gpm = module # Layer: services # Module: hal # # Hardware abstraction layer # hal = module # Layer: services # Module: howl # # Port of Apple Rendezvous multicast DNS # howl = module # Layer: services # Module: i18n_input # # IIIMF htt server # i18n_input = module # Layer: services # Module: imaze # # iMaze game server # imaze = module # Layer: services # Module: inetd # # Internet services daemon. # inetd = module # Layer: services # Module: inn # # Internet News NNTP server # inn = module # Layer: services # Module: ircd # # IRC server # ircd = module # Layer: services # Module: irqbalance # # IRQ balancing daemon # irqbalance = module # Layer: services # Module: jabber # # Jabber instant messaging server # jabber = module # Layer: services # Module: kerberos # # MIT Kerberos admin and KDC # kerberos = module # Layer: services # Module: ktalk # # KDE Talk daemon # ktalk = module # Layer: services # Module: ldap # # OpenLDAP directory server # ldap = module # Layer: services # Module: lpd # # Line printer daemon # lpd = module # Layer: services # Module: mailman # # Mailman is for managing electronic mail discussion and e-newsletter lists # mailman = module # Layer: services # Module: monop # # Monopoly daemon # monop = module # Layer: services # Module: mta # # Policy common to all email tranfer agents. # mta = module # Layer: services # Module: munin # # Munin network-wide load graphing (formerly LRRD) # munin = module # Layer: services # Module: mysql # # Policy for MySQL # mysql = module # Layer: services # Module: nagios # # Net Saint / NAGIOS - network monitoring server # nagios = module # Layer: services # Module: nessus # # Nessus network scanning daemon # nessus = module # Layer: services # Module: networkmanager # # Manager for dynamically switching between networks. # networkmanager = module # Layer: services # Module: nis # # Policy for NIS (YP) servers and clients # nis = module # Layer: services # Module: nscd # # Name service cache daemon # nscd = module # Layer: services # Module: nsd # # Authoritative only name server # nsd = module # Layer: services # Module: ntop # # Network Top # ntop = module # Layer: services # Module: ntp # # Network time protocol daemon # ntp = module # Layer: services # Module: nx # # NX remote desktop # nx = module # Layer: services # Module: oav # # Open AntiVirus scannerdaemon and signature update # oav = module # Layer: services # Module: oddjob # # Oddjob provides a mechanism by which unprivileged applications can # request that specified privileged operations be performed on their # behalf. # oddjob = module # Layer: services # Module: openca # # OpenCA - Open Certificate Authority # openca = module # Layer: services # Module: openct # # Service for handling smart card readers. # openct = module # Layer: services # Module: openvpn # # full-featured SSL VPN solution # openvpn = module # Layer: services # Module: pcscd # # PCSC smart card service # pcscd = module # Layer: services # Module: pegasus # # The Open Group Pegasus CIM/WBEM Server. # pegasus = module # Layer: services # Module: perdition # # Perdition POP and IMAP proxy # perdition = module # Layer: services # Module: portmap # # RPC port mapping service. # portmap = module # Layer: services # Module: portslave # # Portslave terminal server software # portslave = module # Layer: services # Module: postfix # # Postfix email server # postfix = module # Layer: services # Module: postfixpolicyd # # Postfix policy server # postfixpolicyd = module # Layer: services # Module: postgresql # # PostgreSQL relational database # postgresql = module # Layer: services # Module: postgrey # # Postfix grey-listing server # postgrey = module # Layer: services # Module: ppp # # Point to Point Protocol daemon creates links in ppp networks # ppp = module # Layer: services # Module: privoxy # # Privacy enhancing web proxy. # privoxy = module # Layer: services # Module: procmail # # Procmail mail delivery agent # procmail = module # Layer: services # Module: publicfile # # publicfile supplies files to the public through HTTP and FTP # publicfile = module # Layer: services # Module: pxe # # Server for the PXE network boot protocol # pxe = module # Layer: services # Module: pyzor # # Pyzor is a distributed, collaborative spam detection and filtering network. # pyzor = module # Layer: services # Module: qmail # # Qmail Mail Server # qmail = module # Layer: services # Module: radius # # RADIUS authentication and accounting server. # radius = module # Layer: services # Module: radvd # # IPv6 router advertisement daemon # radvd = module # Layer: services # Module: razor # # A distributed, collaborative, spam detection and filtering network. # razor = module # Layer: services # Module: rdisc # # Network router discovery daemon # rdisc = module # Layer: services # Module: remotelogin # # Policy for rshd, rlogind, and telnetd. # remotelogin = module # Layer: services # Module: resmgr # # Resource management daemon # resmgr = module # Layer: services # Module: rhgb # # Red Hat Graphical Boot # rhgb = module # Layer: services # Module: ricci # # Ricci cluster management agent # ricci = module # Layer: services # Module: rlogin # # Remote login daemon # rlogin = module # Layer: services # Module: roundup # # Roundup Issue Tracking System policy # roundup = module # Layer: services # Module: rpc # # Remote Procedure Call Daemon for managment of network based process communication # rpc = module # Layer: services # Module: rpcbind # # Universal Addresses to RPC Program Number Mapper # rpcbind = module # Layer: services # Module: rshd # # Remote shell service. # rshd = module # Layer: services # Module: rsync # # Fast incremental file transfer for synchronization # rsync = module # Layer: services # Module: rwho # # Who is logged in on other machines? # rwho = module # Layer: services # Module: samba # # SMB and CIFS client/server programs for UNIX and # name Service Switch daemon for resolving names # from Windows NT servers. # samba = module # Layer: services # Module: sasl # # SASL authentication server # sasl = module # Layer: services # Module: sendmail # # Policy for sendmail. # sendmail = module # Layer: services # Module: setroubleshoot # # SELinux troubleshooting service # setroubleshoot = module # Layer: services # Module: slrnpull # # Service for downloading news feeds the slrn newsreader. # slrnpull = module # Layer: services # Module: smartmon # # Smart disk monitoring daemon policy # smartmon = module # Layer: services # Module: snmp # # Simple network management protocol services # snmp = module # Layer: services # Module: snort # # Snort network intrusion detection system # snort = module # Layer: services # Module: soundserver # # sound server for network audio server programs, nasd, yiff, etc # soundserver = module # Layer: services # Module: spamassassin # # Filter used for removing unsolicited email. # spamassassin = module # Layer: services # Module: speedtouch # # Alcatel speedtouch USB ADSL modem # speedtouch = module # Layer: services # Module: squid # # Squid caching http proxy server # squid = module # Layer: services # Module: ssh # # Secure shell client and server policy. # ssh = module # Layer: services # Module: stunnel # # SSL Tunneling Proxy # stunnel = module # Layer: services # Module: sysstat # # Policy for sysstat. Reports on various system states # sysstat = module # Layer: services # Module: tcpd # # Policy for TCP daemon. # tcpd = module # Layer: services # Module: telnet # # Telnet daemon # telnet = module # Layer: services # Module: tftp # # Trivial file transfer protocol daemon # tftp = module # Layer: services # Module: timidity # # MIDI to WAV converter and player configured as a service # timidity = module # Layer: services # Module: tor # # TOR, the onion router # tor = module # Layer: services # Module: transproxy # # HTTP transperant proxy # transproxy = module # Layer: services # Module: ucspitcp # # ucspitcp policy # ucspitcp = module # Layer: services # Module: uptime # # Uptime daemon # uptime = module # Layer: services # Module: uucp # # Unix to Unix Copy # uucp = module # Layer: services # Module: uwimap # # University of Washington IMAP toolkit POP3 and IMAP mail server # uwimap = module # Layer: services # Module: watchdog # # Software watchdog # watchdog = module # Layer: services # Module: xfs # # X Windows Font Server # xfs = module # Layer: services # Module: xprint # # X print server # xprint = module # Layer: services # Module: xserver # # X Windows Server # xserver = module # Layer: services # Module: zabbix # # Distributed infrastructure monitoring # zabbix = module # Layer: services # Module: zebra # # Zebra border gateway protocol network routing service # zebra = module # Layer: system # Module: application # # Policy for user executable applications. # application = base # Layer: system # Module: authlogin # # Common policy for authentication and user login. # authlogin = base # Layer: system # Module: clock # # Policy for reading and setting the hardware clock. # clock = module # Layer: system # Module: daemontools # # Collection of tools for managing UNIX services # daemontools = module # Layer: system # Module: fstools # # Tools for filesystem management, such as mkfs and fsck. # fstools = module # Layer: system # Module: getty # # Policy for getty. # getty = module # Layer: system # Module: hostname # # Policy for changing the system host name. # hostname = module # Layer: system # Module: hotplug # # Policy for hotplug system, for supporting the # connection and disconnection of devices at runtime. # hotplug = module # Layer: system # Module: init # # System initialization programs (init and init scripts). # init = base # Layer: system # Module: ipsec # # TCP/IP encryption # ipsec = module # Layer: system # Module: iptables # # Policy for iptables. # iptables = module # Layer: system # Module: iscsi # # Establish connections to iSCSI devices # iscsi = module # Layer: system # Module: libraries # # Policy for system libraries. # libraries = base # Layer: system # Module: locallogin # # Policy for local logins. # locallogin = base # Layer: system # Module: logging # # Policy for the kernel message logger and system logging daemon. # logging = base # Layer: system # Module: lvm # # Policy for logical volume management programs. # lvm = module # Layer: system # Module: miscfiles # # Miscelaneous files. # miscfiles = base # Layer: system # Module: modutils # # Policy for kernel module utilities # modutils = base # Layer: system # Module: mount # # Policy for mount. # mount = module # Layer: system # Module: netlabel # # NetLabel/CIPSO labeled networking management # netlabel = module # Layer: system # Module: pcmcia # # PCMCIA card management services # pcmcia = module # Layer: system # Module: raid # # RAID array management tools # raid = module # Layer: system # Module: selinuxutil # # Policy for SELinux policy and userland applications. # selinuxutil = base # Layer: system # Module: setrans # # SELinux MLS/MCS label translation service. # setrans = module # Layer: system # Module: sysnetwork # # Policy for network configuration: ifconfig and dhcp client. # sysnetwork = base # Layer: system # Module: udev # # Policy for udev. # udev = module # Layer: system # Module: unconfined # # The unconfined domain. # unconfined = module # Layer: system # Module: userdomain # # Policy for user domains # userdomain = base # Layer: system # Module: xen # # Xen hypervisor # xen = module
