How to apply new policy exactly?

Stephen Smalley sds at tycho.nsa.gov
Tue Sep 12 13:01:25 UTC 2006 

On Tue, 2006-09-12 at 08:14 -0400, Christopher J. PeBenito wrote:
> On Tue, 2006-09-12 at 10:38 +0800, Benjamin Tsai wrote:
> > Thank you for the clarification. I have reconfigured selinux/config
> > and recompile policy as the way I did it yesterday, but now I got
> > another error like this
> 
> 
> > libsemanage.semanage_install_active: Could not
> > copy /etc/selinux/refpolicy/modules/active/policy.kern
> > to /etc/selinux/refpolicy/policy/policy.20.
> 
> mkdir -p /etc/selinux/refpolicy/policy

Also 
 mkdir -p /etc/selinux/refpolicy/contexts/files

It would be nice if libsemanage did the equivalent automatically if they
don't exist.

However, I'm not clear that Benjamin is on the right path here.
What is it that you actually want to achieve?  Why are you installing
upstream refpolicy?  And what exact refpolicy are you installing - the
20060307 release or the current svn trunk?  And what are the rest of
your build.conf options - you only mentioned the DISTRO=redhat one, but
Fedora customizes other settings as well, like DIRECT_INITRC=y, and it
builds modular (MONOLITHIC=n) policy for FC5 and later.  You also likely
want the TYPE= to include the -mcs suffix so that your on-disk file
contexts are compatible, particularly since some packages are now using
semanage with local file contexts.

FC5 already uses refpolicy as its basis for building its targeted and
strict policy packages, so I'm not sure what you hope to gain by
building directly from the upstream refpolicy.  Last I looked though,
strict policy was broken in FC5 because it was modular w/o the newer
libsepol/checkpolicy that supported optionals-in-base (take 2).  Dan, is
that still the case?  You either need libsepol >= 1.12.18 and
checkpolicy >= 1.30.8 or a strict policy that puts everything into base.

If you are trying to build a strict policy that works on FC5, I think
you need a newer policy toolchain (either from upstream svn or the
Fedora devel tree).  You could try just updating to the devel versions
of libsepol, checkpolicy, libselinux, libsemanage, and policycoreutils,
and then installing the devel version of selinux-policy-strict.  Then
you don't need to build upstream refpolicy yourself.

Even if you want to build upstream refpolicy yourself, I think you'll
need the newer policy toolchain unless you collapse everything into the
base module.

-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list