How to apply new policy exactly?

Mon Sep 18 10:02:49 UTC 2006

My purpose is to customize SELinux policies for my own daemon. 
I want to create new user, role, type on my system.
I thought I'll need policy sources to achieve the recompilation, so I
start from refpolicy.
On my box the directories you indicated are created automatically, so I
think there're other problems. 

I've updated policy toolchain:
selinux-policy-2.3.13-5
libselinux-1.30.3-4.fc5
selinux-policy-strict-2.3.13-5
libsepol-1.12.26-1
libsemanage-1.6.16-2
policycoreutils-1.30.29-1
checkpolicy-1.30.9-1.1

My refpolicy/src/policy/build.conf:

TYPE=strict-mcs
NAME=refpolicy
DISTRO=redhat
DIRECT_INITRC=y
MONOLITHIC=n

After the update, I re-compiled refpolicy source and got the following
errors

libsepol.mls_read_range_helper: truncated range
libsepol.sepol_module_package_read: invalid module in module package (at
section 0)
libsemanage.semanage_load_module: Error while reading from module file
/etc/selinux/refpolicy/modules/tmp/base.pp.
/usr/sbin/semodule:  Failed!
make: *** [load] Error 1

The directory tmp exists, but the file base.pp doesn't. I need help
here. 
Thank you so much :)

Benjamin

-----Original Message-----
From: Stephen Smalley [mailto:sds at tycho.nsa.gov] 
Sent: Tuesday, September 12, 2006 9:01 PM
To: Christopher J. PeBenito
Cc: Daniel J Walsh; Karl MacMillan; Joshua Brindle; Benjamin Tsai;
fedora-selinux-list at redhat.com
Subject: RE: How to apply new policy exactly?

On Tue, 2006-09-12 at 08:14 -0400, Christopher J. PeBenito wrote:
> On Tue, 2006-09-12 at 10:38 +0800, Benjamin Tsai wrote:
> > Thank you for the clarification. I have reconfigured selinux/config
> > and recompile policy as the way I did it yesterday, but now I got
> > another error like this
> 
> 
> > libsemanage.semanage_install_active: Could not
> > copy /etc/selinux/refpolicy/modules/active/policy.kern
> > to /etc/selinux/refpolicy/policy/policy.20.
> 
> mkdir -p /etc/selinux/refpolicy/policy

Also 
 mkdir -p /etc/selinux/refpolicy/contexts/files

It would be nice if libsemanage did the equivalent automatically if they
don't exist.

However, I'm not clear that Benjamin is on the right path here.
What is it that you actually want to achieve?  Why are you installing
upstream refpolicy?  And what exact refpolicy are you installing - the
20060307 release or the current svn trunk?  And what are the rest of
your build.conf options - you only mentioned the DISTRO=redhat one, but
Fedora customizes other settings as well, like DIRECT_INITRC=y, and it
builds modular (MONOLITHIC=n) policy for FC5 and later.  You also likely
want the TYPE= to include the -mcs suffix so that your on-disk file
contexts are compatible, particularly since some packages are now using
semanage with local file contexts.

FC5 already uses refpolicy as its basis for building its targeted and
strict policy packages, so I'm not sure what you hope to gain by
building directly from the upstream refpolicy.  Last I looked though,
strict policy was broken in FC5 because it was modular w/o the newer
libsepol/checkpolicy that supported optionals-in-base (take 2).  Dan, is
that still the case?  You either need libsepol >= 1.12.18 and
checkpolicy >= 1.30.8 or a strict policy that puts everything into base.

If you are trying to build a strict policy that works on FC5, I think
you need a newer policy toolchain (either from upstream svn or the
Fedora devel tree).  You could try just updating to the devel versions
of libsepol, checkpolicy, libselinux, libsemanage, and policycoreutils,
and then installing the devel version of selinux-policy-strict.  Then
you don't need to build upstream refpolicy yourself.

Even if you want to build upstream refpolicy yourself, I think you'll
need the newer policy toolchain unless you collapse everything into the
base module.

-- 
Stephen Smalley
National Security Agency