building base policy on RHEL5

All of lore.kernel.org
 help / color / mirror / Atom feed

* building base policy on RHEL5
@ 2008-10-09 21:19 Andy Warner
  2008-10-09 21:46 ` Dominick Grift
  0 siblings, 1 reply; 2+ messages in thread
From: Andy Warner @ 2008-10-09 21:19 UTC (permalink / raw)
  To: SE Linux

[-- Attachment #1: Type: text/plain, Size: 2847 bytes --]

I am (SELinux newbie) working on a project which will require me to add 
new object classes to my policy. After doing much reading, I find that 
in order to add object classes I must modify and build the base policy 
(??). My approach is to download the source for the policy, modify it 
with the new object classes and TE rules, and build it. My first step is 
to try and simply build the strict (or any) policy from the sources. I 
get a syntax error when trying to build the policy. My steps are:

rpm -i selinux-policy-2.4.6-137.1.el5.src.rpm
cd /usr/src/redhat/SPECS
rpmbuild -bp selinux-policy.spec
cd /usr/src/redhat/BUILD/serefpolicy-2.4.6
make conf
make

which results in the following failure:

/usr/bin/checkpolicy policy.conf -o policy.21
/usr/bin/checkpolicy:  loading policy configuration from policy.conf
policy/modules/services/fail2ban.te:59:ERROR 'syntax error' at token 
'corenet_tcp_connect_whois_port' on line 439903:
 
corenet_tcp_connect_whois_port(fail2ban_t)
checkpolicy:  error(s) encountered while parsing configuration
make: *** [policy.21] Error 1


some possibly relevant packages are:

checkpolicy.i386                         1.33.1-4.el5           
installed      
policycoreutils.i386                     1.33.12-14.el5         
installed      
policycoreutils-gui.i386                 1.33.12-14.el5         
installed      
policycoreutils-newrole.i386             1.33.12-14.el5         
installed      
selinux-policy.noarch                    2.4.6-137.1.el5        
installed      
selinux-policy-devel.noarch              2.4.6-137.1.el5        
installed      
selinux-policy-mls.noarch                2.4.6-137.1.el5        
installed      
selinux-policy-strict.noarch             2.4.6-137.1.el5        
installed      
selinux-policy-targeted.noarch           2.4.6-137.1.el5        
installed   
libselinux.i386                          1.33.4-5.el5           
installed      
libselinux-devel.i386                    1.33.4-5.el5           
installed      
libselinux-python.i386                   1.33.4-5.el5           
installed      
libsemanage.i386                         1.9.1-3.el5            
installed      
libsepol.i386                            1.15.2-1.el5           
installed      
libsepol-devel.i386                      1.15.2-1.el5           installed 
setools.i386                             3.0-3.el5              installed
setools-devel.i386                       3.0-3.el5              
installed      
setools-gui.i386                         3.0-3.el5              
installed      
setroubleshoot.noarch                    2.0.5-3.el5            
installed      
setroubleshoot-plugins.noarch            2.0.4-2.el5            
installed      
setroubleshoot-server.noarch             2.0.5-3.el5            
installed     

Any help would be greatly appreciated,

Andy

[-- Attachment #2: Type: text/html, Size: 6728 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: building base policy on RHEL5
  2008-10-09 21:19 building base policy on RHEL5 Andy Warner
@ 2008-10-09 21:46 ` Dominick Grift
  0 siblings, 0 replies; 2+ messages in thread
From: Dominick Grift @ 2008-10-09 21:46 UTC (permalink / raw)
  To: Andy Warner; +Cc: SE Linux

[-- Attachment #1: Type: text/plain, Size: 1294 bytes --]

On Thu, 2008-10-09 at 23:19 +0200, Andy Warner wrote:

> 
> which results in the following failure:
> 
> /usr/bin/checkpolicy policy.conf -o policy.21
> /usr/bin/checkpolicy:  loading policy configuration from policy.conf
> policy/modules/services/fail2ban.te:59:ERROR 'syntax error' at token
> 'corenet_tcp_connect_whois_port' on line 439903:
>  
> corenet_tcp_connect_whois_port(fail2ban_t)
> checkpolicy:  error(s) encountered while parsing configuration
> make: *** [policy.21] Error 1

It is best to rebuild the package using the included modules.conf,
selinux-policy.spec and other included files by redhat in the source
rpm.

The redhat modules.conf does not include fail2ban module (it will not
try to build and install that module)

The issues with that entry is that the whois port is not declared in the
corenetwork module and thus you get a syntax error.

That whole fail2ban module doesnt work, fail2ban itself has a nasty bug
(leaked file descriptor) which makes it difficult to confine with
selinux

I recently made a screencast that shows how to rebuild, maintain selinux
policy using red hat rpms this may or may not be helpful for you:

http://82.197.205.60/~domg472/test.ogg

I hope this helps



-- 
Dominick Grift <domg472@gmail.com>

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2008-10-09 21:46 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-10-09 21:19 building base policy on RHEL5 Andy Warner
2008-10-09 21:46 ` Dominick Grift

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.