PDA

View Full Version : selinux-policy and selinux-policy-targeted



alanrouse
17th March 2010, 04:05 PM
Three questions:

1) Can someone tell me where I can get the source module for the selinux-policy-targeted rpm found in the Factory repository? I don't see it under rawhide/source/SRPMS/

2) Can someone explain to me the difference between selinux-policy and selinux-policy-targeted?

3) Why are both installed in the iso image?

Thanks

AdamW
17th March 2010, 09:55 PM
"1) Can someone tell me where I can get the source module for the selinux-policy-targeted rpm found in the Factory repository? I don't see it under rawhide/source/SRPMS/"

It's generated from the selinux-policy SRPM.

"2) Can someone explain to me the difference between selinux-policy and selinux-policy-targeted?"

selinux-policy isn't an actual SELinux policy in itself; it's the framework that policies inhabit. selinux-policy-targeted is an actual SELinux policy, the default Fedora one (it only restricts the behaviour of certain applications, hence the name 'targeted').

alanrouse
18th March 2010, 03:35 PM
It's not obvious to me how to build a targeted policy from the selinux-policy SRPM.

"make install-src" puts the source in /etc/selinux/refpolicy, not /etc/selinux/targeted. Then of course "make conf; make; make install; make load" puts the policy in the refpolicy folder. And unless I'm doing something wrong, the system will not get labeled according to the targeted policy (ie, home directory as unconfined_t etc).

What are the steps, starting from the selinux-policy SRPM to build the targeted policy?

AdamW
18th March 2010, 09:01 PM
as far as I can see, if you just build it straight from the SRPM with rpmbuild --rebuild , it builds the -targeted package. I'm not quite sure what problem you're having here.

alanrouse
18th March 2010, 09:45 PM
I'm actually not trying to build the rpm. I'm trying to build selinux policy from source, as a step toward customizing the policy. I've been unzipping the serefpolicy-*.tgz file and running make targets to build policy. I'm guessing this isn't the way people build policy any more. I guess I could try to reverse engineer what the Fedora selinux-policy.spec file is doing.

lovenemesis
19th March 2010, 12:36 AM
probably this thread should be moved to somewhere else. ;-)

alanrouse
19th March 2010, 03:59 AM
> probably this thread should be moved to somewhere else. ;-)

I thought the fedora 13 development forum would be the best place to find out about where to find source code for fedora 13 rpm's. And I thought it would be the right place to find out about any customizations being done (or needing to be done) to selinux for fedora 13. If you know of a better place please let me know.

lovenemesis
19th March 2010, 12:50 PM
Security section is a place worth to try, at least it's the place I would go if I have SELinux related problem.

the method for customising SELinux policy probably is not F13 specific.

AdamW
19th March 2010, 09:21 PM
'reverse engineer' is a heavy phrase, given that it's plain text. =)

sure, you can look at the spec file and see how it builds the package. I don't imagine it'll be very hard to work out.

domg472
21st March 2010, 07:01 PM
Three questions:

1) Can someone tell me where I can get the source module for the selinux-policy-targeted rpm found in the Factory repository? I don't see it under rawhide/source/SRPMS/


http://koji.fedoraproject.org/koji/packageinfo?packageID=32

example:

http://koji.fedoraproject.org/koji/rpminfo?rpmID=1877993



2) Can someone explain to me the difference between selinux-policy and selinux-policy-targeted?


selinux-policy has files that are not particular to any specific policy model plus some devel files.

selinux-policy-targeted is a policy model with the distinct property that it uses type enforcement to target selected objects and subjects. Anything else is unconfined.

The unconfined domain is also a property of the targeted policy model

do:

rpm -ql selinux-policy
rpm -ql selinux-policy-targeted



3) Why are both installed in the iso image?


selinux-policy-targeted is the policy that Fedora enforces by default. The selinux-policy package provides common files required by any policy thus also selinux_policy targeted.

---------- Post added at 10:01 AM CDT ---------- Previous post was at 09:52 AM CDT ----------


It's not obvious to me how to build a targeted policy from the selinux-policy SRPM.

"make install-src" puts the source in /etc/selinux/refpolicy, not /etc/selinux/targeted. Then of course "make conf; make; make install; make load" puts the policy in the refpolicy folder. And unless I'm doing something wrong, the system will not get labeled according to the targeted policy (ie, home directory as unconfined_t etc).

What are the steps, starting from the selinux-policy SRPM to build the targeted policy?

Fedora ships refpolicy plus a fedora specific patch and uses different locations to store the files.

refpolicy is upstream to fedora:

These are the install instructions for refpolicy:

http://oss.tresys.com/projects/refpolicy/wiki/UseRefpolicy

If you look in the fedora source rpm you will find a patch. you would apply that patch to the extracted serefpolicy.tgz: patch -p0 <*patch.

Other important fedora specifics can be found in the root of the extracted source rpm. The fedora spec file is an important resource if you want to figure out the how fedora installs refpolicy as opposed to refpolicy.

Other good places for SELinux inquiries:

IRC:
generic SELinux: irc://irc.freenode.org/selinux
fedora SELinux: irc://irc.freenode.org/fedora-selinux

Maillists:
generic SELinux: http://marc.info/?l=selinux&r=1&w=2
tresys refpolicy patch submission: http://oss.tresys.com/pipermail/refpolicy/
Fedora selinux: https://admin.fedoraproject.org/mailman/listinfo/selinux

http:
gateway to other selinux http resources:
www.selinuxproject.org

alanrouse
24th March 2010, 12:03 PM
Thanks domg472 for a very helpful answer!