Hello all,
I am new to SELinux. my goal is to implement a custom, small policy on an embedded device. Currently, i have a working modified (narrowed down) policy based on the targeted refpolicy. I use a custom openembedded environment.
My thought was that since I aim to use the policy on an embedded device (so no changes should be made to the policy at all), using a monolithic policy will save space and I could also give up on the managing tools, reducing more space.
I am having trouble switching to monolithic policy. I wanted to made sure that the errors was not resulting from my specific rules, so i reverted for now to the regular targeted refpolicy that arrives with the openembedded SELinux meta. This is the resulting error:
| Creating targeted policy.conf | Compiling targeted policy.29 | policy/modules/roles/sysadm.te:78:ERROR 'duplicate role transition for (sysadm_r,abrt_initrc_exec_t,process)' at token ';' on line 2454354: | #line 78 | role_transition sysadm_r abrt_initrc_exec_t system_r; | checkpolicy: error(s) encountered while parsing configuration | /lte/sagivde/local_views/sagivde_selinux_policy_1/vobs/le920/apps_proc/oe-core/build/tmp-glibc/sysroots/x86_64-linux/usr/bin/checkpolicy: loading policy configuration from policy.conf | make: *** [policy.29] Error 1
If I comment out the above rule a different error occurs, and this happens for again for the next error and so on..
my questions are: 1. Is moving to monolithic policy really a good choice in my case? (reduce memory consumption and disk space) 2. If so - how can i solve the above error?
Thanks, Sagiv.
On 08/04/2016 07:06 AM, sagivdev@gmail.com wrote:
Hello all,
I am new to SELinux. my goal is to implement a custom, small policy on an embedded device. Currently, i have a working modified (narrowed down) policy based on the targeted refpolicy. I use a custom openembedded environment.
My thought was that since I aim to use the policy on an embedded device (so no changes should be made to the policy at all), using a monolithic policy will save space and I could also give up on the managing tools, reducing more space.
I would look at how Android uses SELinux. Their policy might be a better starting point for you as well.
This link has some information and some other helpful references: https://source.android.com/security/selinux/
There is a general SELinux mailing list that you can join by sending email to selinux-join@tycho.nsa.gov and the there is an SE for Android list that you can join by sending email to seandroid-list-join@tycho.nsa.gov.
I am having trouble switching to monolithic policy. I wanted to made sure that the errors was not resulting from my specific rules, so i reverted for now to the regular targeted refpolicy that arrives with the openembedded SELinux meta. This is the resulting error:
| Creating targeted policy.conf | Compiling targeted policy.29 | policy/modules/roles/sysadm.te:78:ERROR 'duplicate role transition for (sysadm_r,abrt_initrc_exec_t,process)' at token ';' on line 2454354: | #line 78 | role_transition sysadm_r abrt_initrc_exec_t system_r; | checkpolicy: error(s) encountered while parsing configuration | /lte/sagivde/local_views/sagivde_selinux_policy_1/vobs/le920/apps_proc/oe-core/build/tmp-glibc/sysroots/x86_64-linux/usr/bin/checkpolicy: loading policy configuration from policy.conf | make: *** [policy.29] Error 1
If I comment out the above rule a different error occurs, and this happens for again for the next error and so on..
my questions are:
- Is moving to monolithic policy really a good choice in my case? (reduce memory consumption and disk space)
- If so - how can i solve the above error?
Thanks, Sagiv. -- selinux mailing list selinux@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
On 08/04/2016 01:06 PM, sagivdev@gmail.com wrote:
Hello all,
I am new to SELinux. my goal is to implement a custom, small policy on an embedded device. Currently, i have a working modified (narrowed down) policy based on the targeted refpolicy. I use a custom openembedded environment.
My thought was that since I aim to use the policy on an embedded device (so no changes should be made to the policy at all), using a monolithic policy will save space and I could also give up on the managing tools, reducing more space.
I believe it is a correct assumption to go with a monolithic policy for your embedded device. I would also think that you don't need to have policies from the contrib repository (I don't think that ABRT policy is needed for your embedded for example). Maybe you could just go with policies from refpolicy-base.
I am having trouble switching to monolithic policy. I wanted to made sure that the errors was not resulting from my specific rules, so i reverted for now to the regular targeted refpolicy that arrives with the openembedded SELinux meta. This is the resulting error:
| Creating targeted policy.conf | Compiling targeted policy.29 | policy/modules/roles/sysadm.te:78:ERROR 'duplicate role transition for (sysadm_r,abrt_initrc_exec_t,process)' at token ';' on line 2454354: | #line 78 | role_transition sysadm_r abrt_initrc_exec_t system_r; | checkpolicy: error(s) encountered while parsing configuration | /lte/sagivde/local_views/sagivde_selinux_policy_1/vobs/le920/apps_proc/oe-core/build/tmp-glibc/sysroots/x86_64-linux/usr/bin/checkpolicy: loading policy configuration from policy.conf | make: *** [policy.29] Error 1
If I comment out the above rule a different error occurs, and this happens for again for the next error and so on..
my questions are:
- Is moving to monolithic policy really a good choice in my case? (reduce memory consumption and disk space)
- If so - how can i solve the above error?
Thanks, Sagiv. -- selinux mailing list selinux@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
Update: In case anyone will stumble upon this error in the future:
From my understanding, the error occurs because monolithic policy in the openembedded environemnt are by default compiled and installed on the host machine (as opposed to modular policies).
I have not solved this completly just yet, but I think this is the main issue. I will continue to work on this and also look into the suggestions posted by James and Miroslav and post here if i manage to solve the issue.
Thanks, Sagiv.
Take a look at how the OE meta-selinux layer handles it. They rewrote the recipe to build it in 2 stages. Stage one produces the policy modules. Stage two is the compilation of the binary policy (semodule call), utilizing the fakeroot/pseudo environment in order to build the monolithic policy.
I successfully applied the recipe to the Fedora reference policy with some modifications.
Jack Fewx Platform Software Senior Engineer Dell | Enterprise Product Group
-----Original Message----- From: sagivdev@gmail.com [mailto:sagivdev@gmail.com] Sent: Sunday, August 14, 2016 7:43 AM To: selinux@lists.fedoraproject.org Subject: Re: Switching to monolithic policy
Update: In case anyone will stumble upon this error in the future:
From my understanding, the error occurs because monolithic policy in the openembedded environemnt are by default compiled and installed on the host machine (as opposed to modular policies).
I have not solved this completly just yet, but I think this is the main issue. I will continue to work on this and also look into the suggestions posted by James and Miroslav and post here if i manage to solve the issue.
Thanks, Sagiv. -- selinux mailing list selinux@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
On 08/14/2016 02:43 PM, sagivdev@gmail.com wrote:
Update: In case anyone will stumble upon this error in the future:
From my understanding, the error occurs because monolithic policy in the openembedded environemnt are by default compiled and installed on the host machine (as opposed to modular policies).
I have not solved this completly just yet, but I think this is the main issue. I will continue to work on this and also look into the suggestions posted by James and Miroslav and post here if i manage to solve the issue.
Maybe you could also try to ask on refpolicy@oss.tresys.com.
Thanks, Sagiv. -- selinux mailing list selinux@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
selinux@lists.fedoraproject.org