Description of problem: Trying to build a custom SELinux module in an RPM package. The following command: $ make -C SELinux -f /usr/share/selinux/devel/Makefile works fine normally but when run under mock (a chroot RPM build environment with a dummy libselinux and /selinux not mounted), the following failure occurs: /usr/bin/make -C SELinux -f /usr/share/selinux/devel/Makefile cat: /selinux/mls: No such file or directory make: Entering directory `/builddir/build/BUILD/contagged-0.3/SELinux' /usr/share/selinux/devel/Makefile:14: /usr/share/selinux/targeted/include/Makefile: No such file or directory make: *** No rule to make target `/usr/share/selinux/targeted/include/Makefile'. Stop. make: Leaving directory `/builddir/build/BUILD/contagged-0.3/SELinux' error: Bad exit status from /var/tmp/rpm-tmp.42152 (%build) Version-Release number of selected component (if applicable): selinux-policy-2.2.34-3.fc5 Additional info: I raised this on fedora-selinux-list (see this bug's URL) and Dan told me that this was a Makefile bug that should be bugzilla-ed.
fixed in selinux-policy-2.2.38-1.FC5.
I'm still getting exactly the same error. I think it's due to /usr/share/selinux/targeted/include being a symlink from the selinux-policy-targeted package, so I'll need to buildrequire that to get it to work - is that intended, or should it be possible to build policy with only the selinux-policy package installed?
Yes you will need to buildrequire a policy package. Currently the targeted package, although they all are built from the same source. If you have a better suggestion, we are willing to listen. :^) Dan
Couldn't /usr/share/selinux/devel/Makefile have: HEADERDIR := $(SHAREDIR)/devel/include instead of: HEADERDIR := $(SHAREDIR)/targeted/include Would that not work, since the latter is a symlink to the former? Is there anything else from the targeted policy that's needed, other than this symlink?
Yes that is a bug. No that should be enough.
Next data point: Package build in mock with: checkpolicy.i386 0:1.30.3-1.fc5 selinux-policy-targeted.noarch 0:2.2.38-1.fc5 Build log includes: + /usr/bin/make -C SELinux -f /usr/share/selinux/devel/Makefile cat: /selinux/mls: No such file or directory make: Entering directory `/builddir/build/BUILD/contagged-0.3/SELinux' Compiling targeted contagged module /usr/bin/checkmodule: loading policy configuration from tmp/contagged.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 5) to tmp/contagged.mod Creating targeted contagged.pp policy package make: Leaving directory `/builddir/build/BUILD/contagged-0.3/SELinux' Result of trying to install the resulting module: # rpm -Uvh contagged-0.3-4.fc5.noarch.rpm Preparing... ########################################### [100%] 1:contagged ########################################### [100%] libsepol.link_modules: Tried to link in a non-MLS module with an MLS base. libsemanage.semanage_link_sandbox: Link packages failed /usr/sbin/semodule: Failed! Workaround for now: Use "make MCSFLAG=-mcs" instead of just "make" to build the policy package.
Created attachment 129462 [details] Try this Makefile This is the Makefile that is in Rawhide. It seems to work for me. Of course I just changes the lookup for /selinux/mls to /selinux1/mls to cause the failure You can also execute make verbose= Which will show you what code is being executed. Should be defaulting to "checkmodule -M "
This Makefile does the trick. Next question: how to build policy modules for targeted, strict, and mls base policies in mock, all in the same spec file? Is this possible just by passing parameters to make?
(In reply to comment #10) > This Makefile does the trick. Next question: how to build policy modules for > targeted, strict, and mls base policies in mock, all in the same spec file? Is > this possible just by passing parameters to make? I've tried this as follows: %define selinux_variants mls strict targeted BuildRequires: checkpolicy, selinux-policy (none of the strict/targeted/mls policy packages are installed) %build for selinuxvariant in %{selinux_variants} do make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile mv myapp.pp myapp.pp.${selinuxvariant} make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile clean done %install for selinuxvariant in %{selinux_variants} do install -d %{buildroot}%{_datadir}/selinux/${selinuxvariant} install -p -m 644 myapp.pp.${selinuxvariant} \ %{buildroot}%{_datadir}/selinux/${selinuxvariant}/myapp.pp done This does appear to work but the generated .pp files for mls/strict/targeted are all identical. Is that to be expected? I can only test the targeted version, which I'd expect to work anyway since it's the default.
Theoretically you should be able to build one pp file and install it on all three. The only exception would be if you had some MLS specific stuff in it. You only need to install it with semodule, you do not need to intall the pp file. IE semodule -i myapp.pp -s $selinuxvariant Would work. Probably all with the same pp file. Lets bring this discussion to the list and maybe I can blog and put it on the fedora wiki. Dan