No. Because the new policy is also a targeted policy. Actually, I am a student and am studying the Tresys Reference policy. So I need to load it for some analysis.

rbs

Hi Lukas,

I had followed the tutorial [1] earlier. But in that case, on system restart, boot fails with an error: systemd[1] : Failed to initialize SELinux context: No such file or directory".

Then I had to set the boot parameter selinux=0 to boot it. So next I tried using "make load". And since the config file said SELINUXTYPE can take one of the 3 values listed in it(targeted, minimum, mls), I got confused and didn't change the value.

Is there anything else that I can try to fix the issue?

-rbs

On Fri, Jan 12, 2018 at 04:53:36AM -0000, rbs s wrote:

Hi Lukas,

I had followed the tutorial [1] earlier. But in that case, on system restart, boot fails with an error: systemd[1] : Failed to initialize SELinux context: No such file or directory".

Then I had to set the boot parameter selinux=0 to boot it. So next I tried using "make load". And since the config file said SELINUXTYPE can take one of the 3 values listed in it(targeted, minimum, mls), I got confused and didn't change the value.

The comment in /etc/selinux/config in Fedora is little bit misleading. It applies only for Fedora provided policies targeted, mls and minimum. But if you need to use your own policy with a different name, you need to change SELINUXTYPE, see man selinux_config:

SELINUXTYPE The policy_name entry is used to identify the policy type, and becomes the directory name of where the policy and its configuration files are located.

The entry can be determined using the sestatus(8) command or selinux_getpolicytype(3).

The policy_name is relative to a path that is defined within the SELinux subsystem that can be retrieved by using selinux_path(3). An example entry retrieved by selinux_path(3) is: /etc/selinux/

The policy_name is then appended to this and becomes the 'policy root' location that can be retrieved by selinux_policy_root_path(3). An example entry retrieved is: /etc/selinux/targeted

The actual binary policy is located relative to this directory and also has a policy name pre-allocated. This information can be retrieved using selinux_binary_policy_path(3). An example entry retrieved by selinux_binary_policy_path(3) is: /etc/selinux/targeted/policy/policy

The binary policy name has by convention the SELinux policy version that it supports appended to it. The maximum policy version supported by the kernel can be determined using the sestatus(8) command or security_policyvers(3). An example binary policy file with the version is: /etc/selinux/targeted/policy/policy.24

If you want to use refpolicy which is stored in /etc/selinux/refpolicy you need to set

SELINUXTYPE=refpolicy

Petr

On Thu, Jan 11, 2018 at 02:22:57PM -0000, rbs s wrote:

No. Because the new policy is also a targeted policy. Actually, I am a student and am studying the Tresys Reference policy. So I need to load it for some analysis.

rbs

To be clear, loading policy is not required to perform analysis. setools in general can work against a binary policy file. For example:

sesearch -A -s init_t -t bin_t /path/to/my/policy.30

---

selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org