On Wed, Apr 15, 2009 at 5:33 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
We actually were trying to load_policy through ssh remotely and when we tried locally then it worked. We came to the conclusion that loading policy over ssh is stupid because of security reasons and it is not allowed. Is this right?
The device clock had problems :) Now its fine.
So policy support is hard-coded into kernel and the userspace can determine it through some library functionality?
On Wed, 2009-04-15 at 11:51 +0500, Shaz wrote:As the usage message says, load_policy doesn't take a policy file
> Hi everyone,
>
> I have some problem with loading policy. The device is in enabled and
> permissive mode.
>
> ----------------
>
> root@some-device:/etc/selinux/targeted# make load
> make: Warning: File `/usr/bin/checkpolicy' has modification time 1.6e
> +07 s in the future
> Compiling policy ...
> /usr/bin/checkpolicy -o /etc/selinux/targeted/policy/policy.23
> policy.conf
> /usr/bin/checkpolicy: loading policy configuration from policy.conf
> /usr/bin/checkpolicy: policy configuration loaded
> /usr/bin/checkpolicy: writing binary representation (version 23)
> to /etc/selinux/targeted/policy/policy.23
> /usr/bin/checkpolicy -c 19 -o /etc/selinux/targeted/policy/policy.19
> policy.conf
> /usr/bin/checkpolicy: loading policy configuration from policy.conf
> /usr/bin/checkpolicy: policy configuration loaded
> /usr/bin/checkpolicy: writing binary representation (version 19)
> to /etc/selinux/targeted/policy/policy.19
> Loading Policy ...
> /usr/bin/load_policy /etc/selinux/targeted/policy/policy.19
> BusyBox v1.10.1 (2009-04-07 15:36:44 PKT) multi-call binary
>
> Usage: load_policy
argument anymore (it always loads policy from the standard location and
selects the appropriate version). So just modify your Makefile to omit
the policy file or run load_policy by hand with no arguments.
We actually were trying to load_policy through ssh remotely and when we tried locally then it worked. We came to the conclusion that loading policy over ssh is stupid because of security reasons and it is not allowed. Is this right?
That just means that the timestamps on the files are in the future of
>
>
>
> make: * [tmp/load] Error 1
>
> ---------------------------------
>
> I also had a clock skew warning at every build step of policy
> building. Does it matter? How to solve it easily?
your current clock setting. Check your system clock and/or the
timestamps on the files.
The device clock had problems :) Now its fine.
That's the latest policy version supported by the version of checkpolicy
> Where did policy 23 come from?
you have.
So policy support is hard-coded into kernel and the userspace can determine it through some library functionality?
--
Stephen Smalley
National Security Agency
--
Shaz
