danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Share Next Entry
Spec File Magic.
danwalsh
In other blogs I have explained how easy it is to create and selinux policy module and to edit and install the modules.

Several people have asked:

How can I build the selinux policy from source?

If you have no interest in the selinux-policy.spec file contents then you should probable go to next blog...

The selinux-policy.spec file is a little bit different because it builds multiple different policy packages out of the same source pool.  In Red Hat Enterprise Linux 5, we build strict, targeted and MLS policy all from the same sources.  In Fedora 10 we are building targeted, mls and minimal all from the same spec file.

You can create the RPMS from the source RPM, by using the

> rpmbuild --rebuild selinux-policy-VERSION.src.rpm

I have a .rpmmacros file in my homedir which looks like

%_srcrpmdir /home/devel/dwalsh/sources/SRPMS
%_rpmdir    /home/devel/dwalsh/sources/RPMS
%_builddir  /home/devel/dwalsh/sources/BUILD
%_sourcedir /home/devel/dwalsh/sources/SOURCES
%_specdir   /home/devel/dwalsh/sources/SPECS
%__debug_package 0

This causes rpmbuild to build the selinux-policy-VERSION.noarch.rpm file in /home/devel/dwalsh/sources/RPMS/noarch

Rebuilding the entire package takes a long time since it needs to do multiple passes.  If I am just checking fixes for targeted policy, I do not want to wait for MLS and STRICT policy package to build, so I have setup a bunch of aliases to build only one type of policy.  These aliases are in my .bash_profile.

alias buildolpc="rpmbuild --define 'BUILD_MINIMUM 0' --define 'BUILD_OLPC 1' --define 'BUILD_TARGETED 0' --define 'BUILD_MLS 0' --define 'BUILD_STRICT 0' --rebuild "
alias buildmls="rpmbuild --define 'BUILD_MLS 1' --define 'BUILD_MINIMUM 0' --define 'BUILD_OLPC 0' --define 'BUILD_TARGETED 0' --define 'BUILD_STRICT 0' --rebuild "
alias buildtargeted="rpmbuild --define 'BUILD_MINIMUM 0' --define 'BUILD_OLPC 0' --define 'BUILD_MLS 0' --define 'BUILD_STRICT 0' --rebuild "
alias buildminimum="rpmbuild --define 'BUILD_MINIMUM 1' --define 'BUILD_OLPC 0' --define 'BUILD_MLS 0' --define 'BUILD_STRICT 0' --define 'BUILD_TARGETED 0' --rebuild "
alias buildstrict='rpmbuild --define 'BUILD_STRICT 1'  --define "BUILD_MLS 0" --define "BUILD_TARGETED 0" --rebuild'

This allows me to just execute

> buildtargeted
selinux-policy-VERSION.src.rpm

rpmbuild will clean up all the files when it completes building the policy, but if you really want to get into the src code you need to install the src.rpm.

rpm -Uhv selinux-policy-VERSION.src.rpm

This installs the selinux.policy.spec file in

~/sources/SPECS/selinux-policy.spec

It also adds the following files to

~/sources/SOURCES

serefpolicy-VERSION.tgz - Reference Policy Tar Ball
policy-DATE.patch - This is the patch off of reference policy that Red Hat or Fedora is shipping.

- These two files get installed to the ~/sources BUILD section during the PREP stage of the build.

modules-mls.conf, modules-strict.conf, modules-targeted.conf - Customized Modules files, these files identify the policy modules that will be used for each policy type.  It also spacified whether the modules will be in the base module or a separate pp file.

booleans-mls.conf, booleans-strict.conf, booleans-targeted.conf - Customized booleans files for each policy type.  These files are used to customize the default boolean values, depending on the type of policy.

These files get copied to ~/sources/BUILD/serefpolicy-VERSION/policy/modules.conf and ~/sources/BUILD/serefpolicy-VERSION/policy/booleans.conf  for each policy type.

policygentool - Little command line tool used to help start generation policy.  I prefer to use polgengui from policycoreutils-gui package
Makefile.devel
- This Makefile is installed in /usr/share/selinux/devel/Makefile
securetty_types-mls, securetty_types-strict, securetty_types-targeted - These files identify the TYPES of terminals that newrole can be run on.  MLS does not allow you to run newrole on a pseudo terminal by default.
setrans-mls.conf, setrans-strict.conf, setrans-targeted.conf - The default translation files used for MCS and MLS Translations.

If you wanted to use the spec file to build the policy for say STRICT policy, you enter the ~/sources/SPECS directory and execute

rpmbuild --define 'BUILD_STRICT 1'  --define "BUILD_MLS 0" --define "BUILD_TARGETED 0" -bi selinux-policy.spec


This will leave the entire build environment in ~/sources/BUILD/serefpolicy-VERSION.

You could also go into the BUILD  direcory and modify the contents if you want, BUT you need to execute a complicated make command if you want to build

If you wanted to update and rebuild modules.

make validate UNK_PERMS=allow NAME=strict TYPE=mcs DISTRO=redhat UBAC=n DIRECT_INITRC=y MONOLITHIC=n POLY=y MLS_CATS=1024 MCS_CATS=1024 modules

Or if you wanted to rebuild base you would execute

make validate UNK_PERMS=allow NAME=strict TYPE=mcs DISTRO=redhat UBAC=n DIRECT_INITRC=y MONOLITHIC=n POLY=y MLS_CATS=1024 MCS_CATS=1024 base


If I wanted to switch the build from strict to targeted, I would

cd ~/sources/BUILD/serefpolicy-VERSION
make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=redhat UBAC=n DIRECT_INITRC=y MONOLITHIC=n POLY=y MLS_CATS=1024 MCS_CATS=1024 bare
make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=redhat UBAC=n DIRECT_INITRC=y MONOLITHIC=n POLY=y MLS_CATS=1024 MCS_CATS=1024 conf
cp ~/sources/SOURCES/modules-targeted.conf  ./policy/modules.conf
cp ~/sources/SOURCES/booleans-targeted.conf  ./policy/booleans.conf
make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=redhat UBAC=n DIRECT_INITRC=y MONOLITHIC=n POLY=y MLS_CATS=1024 MCS_CATS=1024 base
make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=redhat UBAC=n DIRECT_INITRC=y MONOLITHIC=n POLY=y MLS_CATS=1024 MCS_CATS=1024 modules

Not for the faint of heart...

The macro which you were looking for is %_topdir. Write to your ~/.rpmmacros this line

%_topdir /home/devel/dwalsh/sources/

and you can save four lines.

No HTML allowed in subject

  
 
   
 

(will be screened)

You are viewing danwalsh