Hi,
I am using Fedora 26. I need to replace the existing target policy with a new one. Even though "make reload" in the new policy directory completes successfully, it doesn't seem to have actually loaded the new binary. Because even after restart seinfo still gives the details of the old policy. What am I missing here?
-rbs
On Thu, Jan 11, 2018 at 01:46:12PM -0000, rbs s wrote:
Hi,
I am using Fedora 26. I need to replace the existing target policy with a new one. Even though "make reload" in the new policy directory completes successfully, it doesn't seem to have actually loaded the new binary. Because even after restart seinfo still gives the details of the old policy. What am I missing here?
Did you change SELINUXTYPE= in /etc/selinux/config ?
Petr
No. Because the new policy is also a targeted policy. Actually, I am a student and am studying the Tresys Reference policy. So I need to load it for some analysis.
rbs
On 01/11/2018 03:22 PM, rbs s wrote:
No. Because the new policy is also a targeted policy. Actually, I am a student and am studying the Tresys Reference policy. So I need to load it for some analysis.
Did you follow this tutorial? [1]
See in build.conf parameter NAME=refpolicy, this is name of policy you're trying to compile. So you should also modify /etc/selinux/config file and change parameter from:
SELINUXTYPE=targeted to:
SELINUXTYPE=refpolicy
[1] https://github.com/TresysTechnology/refpolicy/wiki/UseRefpolicy
Lukas.
rbs _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
Hi Lukas,
I had followed the tutorial [1] earlier. But in that case, on system restart, boot fails with an error: systemd[1] : Failed to initialize SELinux context: No such file or directory".
Then I had to set the boot parameter selinux=0 to boot it. So next I tried using "make load". And since the config file said SELINUXTYPE can take one of the 3 values listed in it(targeted, minimum, mls), I got confused and didn't change the value.
Is there anything else that I can try to fix the issue?
-rbs
Just to add, I tried these two procedures on two different VMs and I disabled SELinux only in case of the first VM.
-rbs
On Fri, Jan 12, 2018 at 04:53:36AM -0000, rbs s wrote:
Hi Lukas,
I had followed the tutorial [1] earlier. But in that case, on system restart, boot fails with an error: systemd[1] : Failed to initialize SELinux context: No such file or directory".
Then I had to set the boot parameter selinux=0 to boot it. So next I tried using "make load". And since the config file said SELINUXTYPE can take one of the 3 values listed in it(targeted, minimum, mls), I got confused and didn't change the value.
The comment in /etc/selinux/config in Fedora is little bit misleading. It applies only for Fedora provided policies targeted, mls and minimum. But if you need to use your own policy with a different name, you need to change SELINUXTYPE, see man selinux_config:
SELINUXTYPE The policy_name entry is used to identify the policy type, and becomes the directory name of where the policy and its configuration files are located.
The entry can be determined using the sestatus(8) command or selinux_getpolicytype(3).
The policy_name is relative to a path that is defined within the SELinux subsystem that can be retrieved by using selinux_path(3). An example entry retrieved by selinux_path(3) is: /etc/selinux/
The policy_name is then appended to this and becomes the 'policy root' location that can be retrieved by selinux_policy_root_path(3). An example entry retrieved is: /etc/selinux/targeted
The actual binary policy is located relative to this directory and also has a policy name pre-allocated. This information can be retrieved using selinux_binary_policy_path(3). An example entry retrieved by selinux_binary_policy_path(3) is: /etc/selinux/targeted/policy/policy
The binary policy name has by convention the SELinux policy version that it supports appended to it. The maximum policy version supported by the kernel can be determined using the sestatus(8) command or security_policyvers(3). An example binary policy file with the version is: /etc/selinux/targeted/policy/policy.24
If you want to use refpolicy which is stored in /etc/selinux/refpolicy you need to set
SELINUXTYPE=refpolicy
Petr
On Thu, Jan 11, 2018 at 02:22:57PM -0000, rbs s wrote:
No. Because the new policy is also a targeted policy. Actually, I am a student and am studying the Tresys Reference policy. So I need to load it for some analysis.
rbs
To be clear, loading policy is not required to perform analysis. setools in general can work against a binary policy file. For example:
sesearch -A -s init_t -t bin_t /path/to/my/policy.30
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
selinux@lists.fedoraproject.org