On 08/04/2016 01:06 PM, sagivdev(a)gmail.com wrote:
Hello all,
I am new to SELinux. my goal is to implement a custom, small policy on an embedded
device.
Currently, i have a working modified (narrowed down) policy based on the targeted
refpolicy. I use a custom openembedded environment.
My thought was that since I aim to use the policy on an embedded device (so no changes
should be made to the policy at all), using a monolithic policy will save space and I
could also give up on the managing tools, reducing more space.
I believe it is a correct assumption to go with a monolithic policy for
your embedded device. I would also think that you don't need to have
policies from the contrib repository (I don't think that ABRT policy is
needed for your embedded for example). Maybe you could just go with
policies from refpolicy-base.
I am having trouble switching to monolithic policy. I wanted to made
sure that the errors was not resulting from my specific rules, so i reverted for now to
the regular targeted refpolicy that arrives with the openembedded SELinux meta. This is
the resulting error:
| Creating targeted policy.conf
| Compiling targeted policy.29
| policy/modules/roles/sysadm.te:78:ERROR 'duplicate role transition for
(sysadm_r,abrt_initrc_exec_t,process)' at token ';' on line 2454354:
| #line 78
| role_transition sysadm_r abrt_initrc_exec_t system_r;
| checkpolicy: error(s) encountered while parsing configuration
|
/lte/sagivde/local_views/sagivde_selinux_policy_1/vobs/le920/apps_proc/oe-core/build/tmp-glibc/sysroots/x86_64-linux/usr/bin/checkpolicy:
loading policy configuration from policy.conf
| make: *** [policy.29] Error 1
If I comment out the above rule a different error occurs, and this happens for again for
the next error and so on..
my questions are:
1. Is moving to monolithic policy really a good choice in my case? (reduce memory
consumption and disk space)
2. If so - how can i solve the above error?
Thanks,
Sagiv.
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.