circular policy references generated by sepolgen
Michael Atighetchi
matighet at bbn.com
Wed Jan 11 12:21:29 UTC 2012
On 1/11/2012 11:16 AM, Miroslav Grepl wrote:
> On 01/10/2012 10:59 PM, Michael Atighetchi wrote:
>> All,
>>
>> I have a number of custom policies that I developed on a Fedora 14
>> system by using sepolgen and iterating over the policies up to a
>> point where they are violation free.
>>
>> When trying to install those policies on another system, I've run
>> into a circular dependency issue. No matter what order I call the 6
>> .sh scripts created by sepolgen, I always end up with missing
>> required types, e.g.,:
>>
>> ----
>> [proxyuser at lime selinux]$ sudo ./CZwd.sh
>> Building and Loading Policy
>> + make -f /usr/share/selinux/devel/Makefile
>> make: Nothing to be done for `all'.
>> + /usr/sbin/semodule -i CZwd.pp
>> libsepol.print_missing_requirements: CZwd's global requirements were
>> not met: type/attribute CZfwa_t (No such file or directory).
>> libsemanage.semanage_link_sandbox: Link packages failed (No such file
>> or directory).
>> /usr/sbin/semodule: Failed!
>> ----
>>
>> Presumably, one can break these cycles by defining all required types
>> first.
>> Is there a manual way to do this using the SELinux tools?
>>
>> Thanks
>> Michael
>>
>>
> You should use "optional_policy" statement in your policies to prevent
> this issue. I wrote a blog about this
>
> http://mgrepl.wordpress.com/2011/12/04/troubles-with-policy-development-part-1/
>
>
Thanks for the pointer. Turns out that somehow the policies I had
previously iterated over had a lot of junk in them, for instance, rules
for types that are not really supposed to be declared by the specific
policy module. After manually cleaning up the policies, I was able to
get them to load and work properly.
Will keep the optional_policy in mind though.
Michael
--
Michael Atighetchi
Senior Scientist
Raytheon BBN Technologies
617-873-1679
matighet at bbn.com
More information about the selinux
mailing list