• 1

Building a monolithic policy

Hi Dan,

I have read and followed your blogs and found a lot of good tips.

I would like to know if you have blog that show how to build a monolithic policy.

I have tried but failed to build a monolithic policy with a RHEL6 policy source v3.7.19. I have tried three different ways:

1. Edited selinux-policy.spec and set "%define monolithic y". I got this compiling error

make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=redhat UBAC=n DIRECT_INITRC=n MONOLITHIC=y POLY=y MLS_CATS=1024 MCS_CATS=1024 base.pp
make: *** No rule to make target `base.pp'

Obviously, the spec was written for build modular policy only.

2. Modified build.conf, set MONOLITHIC = y, and built from command line "make policy". I got this error

/usr/bin/checkpolicy: loading policy configuration from policy.conf
policy/modules/apps/gitosis.te":10:ERROR 'syntax error' at token 'typeattribute' on line 2132630:
typeattribute gitosis_t application_domain_type;
#line 10
checkpolicy: error(s) encountered while parsing configuration

3. Modified policy/modules.conf, set all modules to "base", and built from command line "make policy. I got the same error as in 2.

Do you know if building a monolithic policy is still supported and what is the proper steps to do that?

Thank you very much.


Re: Building a monolithic policy

It should work, but you could be revealing a bug in our policy that is covered up with modular policy. I would remove the gitosis module to see if everything builds.

Might be better to carry on this discussion on the fedora or refpolicy lists.

Found what was wrong and had a workaround

Thanks for the suggestion. I have found what was wrong. There are three problems when compiling a monolithic policy:

1. In the combined policy.conf, the "user" statements, that are the results of the gen_user() macros defined at the end of some modules, are mixed among other statements. The SELinux compiler does not like that and causes the error as in my first post. To workaround this problem, I moved the gen_user() macros to users-targeted which will become users file and be added to the end of policy.conf.

To really fix this problem I think the pre-processing scripts should perform the move automatically.

The related modules are unconfineduser.te, guest.te, xguest.te. and git.te.

2. Another problem is that some type statements are defined inside a optional_policy() block in one module and referenced via gen_require() in another module. To workaround this I moved the type statements outside and above the optional_policy().

The related modules are samba.te, unconfineduser.te, and qemu.te

3. This is not quite a problem but the selinux-policy.spec file was written to build modular policy RPM only. If one wants to build a monolithic policy RPM, the file has to be modified.

Where did enableaudit.pp move to?

It seems that as a result of the move from /usr/share/selinux/targeted/ to /etc/selinux/targeted/modules/active/ the file enableaudit.pp has disappeared.

How can I enable auditing of all dontaudit rules on Fedora 16?


Re: Where did enableaudit.pp move to?

Disable dontaudits with:
semodule -DB

Renable with:
semudule -B

enableaudit.pp only exists in RHEL5.

Re: Where did enableaudit.pp move to?

Thanks Dan, that allowed to track down the AVC I was looking for.


I have a custom monolithic build based on RHEL6 policy.
I get this error when try to turn off dontaudit rules:

libsemanage.semanage_link_sandbox: Could not access sandbox base file /etc/selinux/targeted/modules/bmp/base.pp. (No such file or directory)

Is there other way to turn off dontaudit in a monilithic policy?


Not that i know of.

Ask this question on the selinux mail list. Might need to update the tool chain if it is possible.

SELinux <selinux@tycho.nsa.gov>

  • 1

Log in