3:59 p.m.
All,
I have a number of custom policies that I developed on a Fedora 14
system by using sepolgen and iterating over the policies up to a point
where they are violation free.
When trying to install those policies on another system, I've run into a
circular dependency issue. No matter what order I call the 6 .sh
scripts created by sepolgen, I always end up with missing required
types, e.g.,:
----
[proxyuser@lime selinux]$ sudo ./CZwd.sh
Building and Loading Policy
+ make -f /usr/share/selinux/devel/Makefile
make: Nothing to be done for `all'.
+ /usr/sbin/semodule -i CZwd.pp
libsepol.print_missing_requirements: CZwd's global requirements were not
met: type/attribute CZfwa_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or
directory).
/usr/sbin/semodule: Failed!
----
Presumably, one can break these cycles by defining all required types first.
Is there a manual way to do this using the SELinux tools?
Thanks
Michael
--
Michael Atighetchi
Senior Scientist
Raytheon BBN Technologies
617-873-1679
matighet(a)bbn.com
4:16 a.m.
On 01/10/2012 10:59 PM, Michael Atighetchi wrote:
All,
I have a number of custom policies that I developed on a Fedora 14
system by using sepolgen and iterating over the policies up to a point
where they are violation free.
When trying to install those policies on another system, I've run into
a circular dependency issue. No matter what order I call the 6 .sh
scripts created by sepolgen, I always end up with missing required
types, e.g.,:
----
[proxyuser@lime selinux]$ sudo ./CZwd.sh
Building and Loading Policy
+ make -f /usr/share/selinux/devel/Makefile
make: Nothing to be done for `all'.
+ /usr/sbin/semodule -i CZwd.pp
libsepol.print_missing_requirements: CZwd's global requirements were
not met: type/attribute CZfwa_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file
or directory).
/usr/sbin/semodule: Failed!
----
Presumably, one can break these cycles by defining all required types
first.
Is there a manual way to do this using the SELinux tools?
Thanks
Michael
You should use "optional_policy" statement in your policies to prevent
this issue. I wrote a blog about this
http://mgrepl.wordpress.com/2011/12/04/troubles-with-policy-development-p...
6:21 a.m.
On 1/11/2012 11:16 AM, Miroslav Grepl wrote:
On 01/10/2012 10:59 PM, Michael Atighetchi wrote:
> All,
>
> I have a number of custom policies that I developed on a Fedora 14
> system by using sepolgen and iterating over the policies up to a
> point where they are violation free.
>
> When trying to install those policies on another system, I've run
> into a circular dependency issue. No matter what order I call the 6
> .sh scripts created by sepolgen, I always end up with missing
> required types, e.g.,:
>
> ----
> [proxyuser@lime selinux]$ sudo ./CZwd.sh
> Building and Loading Policy
> + make -f /usr/share/selinux/devel/Makefile
> make: Nothing to be done for `all'.
> + /usr/sbin/semodule -i CZwd.pp
> libsepol.print_missing_requirements: CZwd's global requirements were
> not met: type/attribute CZfwa_t (No such file or directory).
> libsemanage.semanage_link_sandbox: Link packages failed (No such file
> or directory).
> /usr/sbin/semodule: Failed!
> ----
>
> Presumably, one can break these cycles by defining all required types
> first.
> Is there a manual way to do this using the SELinux tools?
>
> Thanks
> Michael
>
>
You should use "optional_policy" statement in your policies to prevent
this issue. I wrote a blog about this
http://mgrepl.wordpress.com/2011/12/04/troubles-with-policy-development-p...
Thanks for the pointer. Turns out that somehow the policies I had
previously iterated over had a lot of junk in them, for instance, rules
for types that are not really supposed to be declared by the specific
policy module. After manually cleaning up the policies, I was able to
get them to load and work properly.
Will keep the optional_policy in mind though.
Michael
--
Michael Atighetchi
Senior Scientist
Raytheon BBN Technologies
617-873-1679
matighet(a)bbn.com
7:25 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/10/2012 04:59 PM, Michael Atighetchi wrote:
All,
I have a number of custom policies that I developed on a Fedora 14
system by using sepolgen and iterating over the policies up to a
point where they are violation free.
When trying to install those policies on another system, I've run
into a circular dependency issue. No matter what order I call the
6 .sh scripts created by sepolgen, I always end up with missing
required types, e.g.,:
---- [proxyuser@lime selinux]$ sudo ./CZwd.sh Building and Loading
Policy + make -f /usr/share/selinux/devel/Makefile make: Nothing to
be done for `all'. + /usr/sbin/semodule -i CZwd.pp
libsepol.print_missing_requirements: CZwd's global requirements
were not met: type/attribute CZfwa_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such
file or directory). /usr/sbin/semodule: Failed! ----
Presumably, one can break these cycles by defining all required
types first. Is there a manual way to do this using the SELinux
tools?
Thanks Michael
Without seeing the policy I would figure you did not define CZfwa_t
within this module but used without out a optional_policy block around
it. You have a couple of choices either add the optional_policy block
or install both pp files with the same semodule command.
semodule -i CZwd.pp CZfwa.pp
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk8NjbAACgkQrlYvE4MpobOKeQCeOZdRV0yyTzrP8ZuHNl0YjBmq
qRQAnjtmVaDpe9V4bJObY9fP+T+V2kvy
=SKZ4
-----END PGP SIGNATURE-----
4486
days inactive
4487
days old
selinux@lists.fedoraproject.org
3 comments
3 participants
participants (3)
-
Daniel J Walsh -
Michael Atighetchi -
Miroslav Grepl