Re: circular policy references generated by sepolgen

Michael Atighetchi <matighet@xxxxxxx> · Wed, 11 Jan 2012 13:21:29 +0100

On 1/11/2012 11:16 AM, Miroslav Grepl wrote:

On 01/10/2012 10:59 PM, Michael Atighetchi wrote:

All,

I have a number of custom policies that I developed on a Fedora 14 

system by using sepolgen and iterating over the policies up to a 

point where they are violation free.

When trying to install those policies on another system, I've run 

into a circular dependency issue. No matter what order I  call the 6 

.sh scripts created by sepolgen, I always end up with missing 

required types, e.g.,:

----
[proxyuser@lime selinux]$ sudo ./CZwd.sh
Building and Loading Policy
+ make -f /usr/share/selinux/devel/Makefile
make: Nothing to be done for `all'.
+ /usr/sbin/semodule -i CZwd.pp

libsepol.print_missing_requirements: CZwd's global requirements were 

not met: type/attribute CZfwa_t (No such file or directory).

libsemanage.semanage_link_sandbox: Link packages failed (No such file 

or directory).

/usr/sbin/semodule:  Failed!
----

Presumably, one can break these cycles by defining all required types 

first.

Is there a manual way to do this using the SELinux tools?

Thanks
Michael

You should use "optional_policy" statement in your policies to prevent 

this issue. I wrote a blog about this

http://mgrepl.wordpress.com/2011/12/04/troubles-with-policy-development-part-1/ 

Thanks for the pointer. Turns out that somehow the policies I had 

previously iterated over had a lot of junk in them, for instance, rules 

for types that are not really supposed to be declared by the specific 

policy module. After manually cleaning up the policies, I was able to 

get them to load and work properly.

Will keep the optional_policy in mind though.

Michael

--
Michael Atighetchi
Senior Scientist
Raytheon BBN Technologies
617-873-1679
matighet@xxxxxxx

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux