How to apply new policy exactly?

Christopher J. PeBenito cpebenito at tresys.com
Mon Sep 11 13:53:37 UTC 2006 

On Mon, 2006-09-11 at 19:08 +0800, Benjamin Tsai wrote:
>            I’ve downloaded refpolicy source from tresys’s website and
> tried to install it on my FC5 box. 
> 
>            However, there’re some problems I’m not able to fix it so
> far. According to online documents, I first setenforce 0.
> 
>            In build.conf I enabled DISTRO=redhat, then make
> install-src under /etc/selinux/refpolicy
> 
> make conf; make policy; make install; make load
> under /etc/selinux/refpolicy/src/policy
> 
> 1.       While executing make load, it replied that policy file
> argument policy.20 is no longer supported, The next line showed
> “continue…”
> 
> I was so confused here that it looked like refpolicy is not loaded
> yet. So how do I feed it a “supported policy file”?

It was not loaded because the load_policy in FC5 looks at
your /etc/selinux/config to determine what policy to load.  It does not
use the command line parameter, which is what the message is saying.
The refpolicy makefile provides this parameter for compatibility for
older SELinux machines.  What happened is that you loaded the policy
configured set in /etc/selinux/config.

Second, you are using a monolithic policy build configuration, which is
not supported in FC5.

> 2.       Besides, is there any way I can check if the policy is
> loaded? My guess is sestatus.

Yes.  The "policy from config file" is the policy that was loaded.

> 3.       If I neglected the “loading-policy-thing” and make relabel
> directly, then I’ll got 
> 
You were relabeling using the file contexts from your custom refpolicy,
but the FC5 policy was loaded, and it turns out that the configurations
differ; therefore, there are invalid contexts.
> 
> Relabeling filesystem types: ext2 ext3 xfs jfs
> 
> /usr/sbin/setfiles /etc/selinux/refpolicy/contexts/files/file_contexts / /boot
> 
> /etc/selinux/refpolicy/contexts/files/file_contexts:  line 79 has
> invalid context system_u:object_r:quota_db_t
> 
> /etc/selinux/refpolicy/contexts/files/file_contexts:  line 121 has
> invalid context system_u:object_r:svc_svc_t
> 
> /etc/selinux/refpolicy/contexts/files/file_contexts:  line 139 has
> invalid context system_u:object_r:ipsec_exec_t
> 
> /etc/selinux/refpolicy/contexts/files/file_contexts:  line 147 has
> invalid context system_u:object_r:ipsec_exec_t
> 
> /etc/selinux/refpolicy/contexts/files/file_contexts:  line 153 has
> invalid context system_u:object_r:ipsec_exec_t
> 
> /etc/selinux/refpolicy/contexts/files/file_contexts:  line 189 has
> invalid context system_u:object_r:ipsec_mgmt_exec_t
> 
> /etc/selinux/refpolicy/contexts/files/file_contexts:  line 213 has
> invalid context system_u:object_r:ipsec_mgmt_exec_t
> 
> /etc/selinux/refpolicy/contexts/files/file_contexts:  line 214 has
> invalid context system_u:object_r:ipsec_exec_t
> 
> /etc/selinux/refpolicy/contexts/files/file_contexts:  line 245 has
> invalid context system_u:object_r:portage_exec_t
> 
> Exiting after 10 errors.
> 
> make: *** [relabel] Error 1


-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

More information about the fedora-selinux-list mailing list