7:46 a.m.
Hi,
I am using Fedora 26. I need to replace the existing target policy with a new one. Even
though "make reload" in the new policy directory completes successfully, it
doesn't seem to have actually loaded the new binary. Because even after restart seinfo
still gives the details of the old policy. What am I missing here?
-rbs
7:59 a.m.
On Thu, Jan 11, 2018 at 01:46:12PM -0000, rbs s wrote:
Hi,
I am using Fedora 26. I need to replace the existing target policy with a new one. Even
though "make reload" in the new policy directory completes successfully, it
doesn't seem to have actually loaded the new binary. Because even after restart seinfo
still gives the details of the old policy. What am I missing here?
Did you change SELINUXTYPE= in /etc/selinux/config ?
Petr
8:22 a.m.
No. Because the new policy is also a targeted policy. Actually, I am a student and am
studying the Tresys Reference policy. So I need to load it for some analysis.
rbs
8:33 a.m.
On 01/11/2018 03:22 PM, rbs s wrote:
No. Because the new policy is also a targeted policy. Actually, I am
a student and am studying the Tresys Reference policy. So I need to load it for some
analysis.
Did you follow this tutorial? [1]
See in build.conf parameter NAME=refpolicy, this is name of policy
you're trying to compile. So you should also modify /etc/selinux/config
file and change parameter from:
SELINUXTYPE=targeted
to:
SELINUXTYPE=refpolicy
[1] https://github.com/TresysTechnology/refpolicy/wiki/UseRefpolicy
Lukas.
rbs
_______________________________________________
selinux mailing list -- selinux(a)lists.fedoraproject.org
To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
--
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.
10:53 p.m.
Hi Lukas,
I had followed the tutorial [1] earlier. But in that case, on system restart, boot fails
with an error:
systemd[1] : Failed to initialize SELinux context: No such file or directory".
Then I had to set the boot parameter selinux=0 to boot it.
So next I tried using "make load". And since the config file said SELINUXTYPE
can take one of the 3 values listed in it(targeted, minimum, mls), I got confused and
didn't change the value.
Is there anything else that I can try to fix the issue?
-rbs
11:17 p.m.
Just to add, I tried these two procedures on two different VMs and I disabled SELinux only
in case of the first VM.
-rbs
3:15 a.m.
On Fri, Jan 12, 2018 at 04:53:36AM -0000, rbs s wrote:
Hi Lukas,
I had followed the tutorial [1] earlier. But in that case, on system restart, boot fails
with an error:
systemd[1] : Failed to initialize SELinux context: No such file or directory".
Then I had to set the boot parameter selinux=0 to boot it.
So next I tried using "make load". And since the config file said SELINUXTYPE
can take one of the 3 values listed in it(targeted, minimum, mls), I got confused and
didn't change the value.
The comment in /etc/selinux/config in Fedora is little bit misleading.
It applies only for Fedora provided policies targeted, mls and minimum.
But if you need to use your own policy with a different name, you need
to change SELINUXTYPE, see man selinux_config:
SELINUXTYPE
The policy_name entry is used to identify the policy type, and becomes the
directory name of where the policy and its configuration files are located.
The entry can be determined using the sestatus(8) command or
selinux_getpolicytype(3).
The policy_name is relative to a path that is defined within the SELinux
subsystem that can be retrieved by using selinux_path(3). An example entry retrieved by
selinux_path(3) is:
/etc/selinux/
The policy_name is then appended to this and becomes the 'policy
root' location that can be retrieved by selinux_policy_root_path(3). An example entry
retrieved is:
/etc/selinux/targeted
The actual binary policy is located relative to this directory and also has
a policy name pre-allocated. This information can be retrieved using
selinux_binary_policy_path(3). An example entry retrieved by selinux_binary_policy_path(3)
is:
/etc/selinux/targeted/policy/policy
The binary policy name has by convention the SELinux policy version that it
supports appended to it. The maximum policy version supported by the kernel can be
determined using the sestatus(8) command or security_policyvers(3). An example binary
policy file with
the version is:
/etc/selinux/targeted/policy/policy.24
If you want to use refpolicy which is stored in /etc/selinux/refpolicy
you need to set
SELINUXTYPE=refpolicy
Petr
3:55 a.m.
On Thu, Jan 11, 2018 at 02:22:57PM -0000, rbs s wrote:
No. Because the new policy is also a targeted policy. Actually, I am a
student and am studying the Tresys Reference policy. So I need to load it for some
analysis.
rbs
To be clear, loading policy is not required to perform analysis.
setools in general can work against a binary policy file. For example:
sesearch -A -s init_t -t bin_t /path/to/my/policy.30
>_______________________________________________
>selinux mailing list -- selinux(a)lists.fedoraproject.org
>To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
2289
days inactive
2290
days old
selinux@lists.fedoraproject.org
9 comments
4 participants
participants (4)
-
Gary Tierney -
Lukas Vrabec -
Petr Lautrbach -
rbs s