# SELinux - where to 'make load'?

## Lawless

I'm trying to get SELinux working. 

First I followed the Null Selinux Howto - now I'm trying to load the policies.

The Gentoo SELinux handbook tells me to go to /etc/security/selinux/src/policy and do a 'make load' but I do not have this directory.

After installing selinux-base-policy I do have an /etc/selinux - but I found nothing where I could do the make.

Did I forget something that prevented the creation of this directory?

----------

## nixnut

You do that in the directory where the source are. Alternatively, just use the load_policy tool

----------

## Lawless

Ok load_policy is going into "/etc/selinux/strict/policy/" which is empty and therefore I get an 

```

# load_policy       

load_policy:  Can't load policy:  No such file or directory

```

That's all I have emerged

```

# emerge -pv checkpolicy policycoreutils selinux-base-policy python-selinux libselinux

These are the packages that would be merged, in order:

Calculating dependencies... done!

[ebuild   R   ] sys-apps/checkpolicy-1.30.12  USE="-debug" 0 kB 

[ebuild   R   ] sys-apps/policycoreutils-1.30.30  USE="nls pam" 0 kB 

[ebuild   R   ] sec-policy/selinux-base-policy-20061015  0 kB 

[ebuild   R   ] dev-python/python-selinux-2.16-r2  0 kB 

[ebuild   R   ] sys-libs/libselinux-1.30.29  0 kB

```

I'm just too blind to see what step I forgot in the howto...

----------

## nixnut

less /var/db/pkg/sec-policy/selinux-base-policy-20061015/CONTENTS should tell you where the policy files got installed.

----------

## Lawless

Ok next try...

```

dir /usr

dir /usr/share

dir /usr/share/selinux

dir /usr/share/selinux/strict

obj /usr/share/selinux/strict/base.pp a8ef5b78287ca973f964a487afd75e4a 1162125130

dir /usr/share/selinux/strict/include

obj /usr/share/selinux/strict/include/global_tunables.xml b146f329a0e3956e5b8691fcd187c8bf 1162125130

obj /usr/share/selinux/strict/include/global_booleans.xml c1d676e283d437c5e644bbd65c1920ac 1162125130

obj /usr/share/selinux/strict/include/rolemap f53531b83c7def5e913ddbc2ef8e663e 1162125130

dir /usr/share/selinux/strict/include/support

obj /usr/share/selinux/strict/include/support/loadable_module.spt 1aa45bc236c4935eee3f029679abfab6 1162125130

obj /usr/share/selinux/strict/include/support/misc_macros.spt 50377b50ddcd4354530817351b0696cf 1162125130

(...)

dir /etc/selinux

dir /etc/selinux/strict

dir /etc/selinux/strict/contexts

obj /etc/selinux/strict/contexts/default_contexts 2e0357decc0d201dd2398e81e7790835 1162125130

obj /etc/selinux/strict/contexts/default_type f940e5556379e0c7f3d12b09a149dcc2 1162125130

obj /etc/selinux/strict/contexts/initrc_context 5a81f6953618a27c85d55ef287dc85e7 1162125130

(...)

obj /etc/selinux/targeted/contexts/run_init_type 8cbd6783e901b590f2f327d1aaf3c3d3 1162125130

dir /etc/selinux/targeted/policy

obj /etc/selinux/targeted/policy/.keep_sec-policy_selinux-base-policy-0 d41d8cd98f00b204e9800998ecf8427e 1162125130

obj /etc/selinux/config 0e845ce007e469b90bf7528beb3fec26 1162125130

```

/etc/selinux/strict/policy is emtpy and the only Makefile is in /usr/share/selinux/strict/include/

```

 # make load

Loading strict modules: 

At least one mode must be specified.

usage:  /usr/sbin/semodule [options]... MODE [MODES]...

Manage SELinux policy modules.

MODES:

  -R, --reload              reload policy

  -B, --build               build and reload policy

  -i,--install=MODULE_PKG   install a new module

  -u,--upgrade=MODULE_PKG   upgrade existing module

  -b,--base=MODULE_PKG      install new base module

  -r,--remove=MODULE_NAME   remove existing module

  -l,--list-modules         display list of installed modules

Other options:

  -s,--store       name of the store to operate on

  -n,--noreload    do not reload policy after commit

  -h,--help        print this message and quit

  -v,--verbose     be verbose

make: *** [load] Error 1

```

```

# semodule -l

semodule: SELinux policy is not managed or store cannot be accessed.

```

 :Sad: 

----------

## Lawless

And now I cannot emerge other packages

```

>>> Merging dev-libs/libassuan-0.9.3 to /

>>> Setting SELinux security labels

/etc/selinux/strict/contexts/files/file_contexts: No such file or directory

!!! ERROR: dev-libs/libassuan-0.9.3 failed.

Call stack:

  misc-functions.sh, line 439:   Called preinst_selinux_labels

  misc-functions.sh, line 361:   Called die

```

(With FEATURES="selinux" turned off...)

And according to this thread

https://forums.gentoo.org/viewtopic-t-190744-highlight-filecontexts.html

(which is old I know) I should have somewhere a directory with .fc or .te files but I only have lots on .if... so as for me it seems I do not have the policy sources...?

----------

## Lawless

Ok, now I got the refpolicy sources which are getting downloaded with the selinux-base-policy but don't get installed to /etc/selinux...

I did this myself, compiled the policy and loaded it successfully

```

# sestatus 

SELinux status:                 enabled

SELinuxfs mount:                /selinux

Current mode:                   permissive

Mode from config file:          permissive

Policy version:                 20

Policy from config file:        refpolicy

```

So are these the sources I was looking for? Why aren't they installed by the ebuild...

----------

## b_koepke

Did you keep reading the SELinux handbook?

It says that as of 2006.1 you use the tool 'semodule -B' to load selinux policies. 

http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=3&chap=2

The 'make load' command is depreciated. 

(I had the same problem until I read the rest of the handbook)

----------

## Lawless

I did try it but with the semodule tool I only get

```

# semodule -B

semodule: SELinux policy is not managed or store cannot be accessed

```

----------

## b_koepke

make sure the file '/etc/selinux/semanage.conf' is set to direct and not to source. (module-store = direct)

also you need to use the standard ebuilds.

----------

## Lawless

```

module-store = direct

```

Standard ebuild... I used the selinux-base-policy ebuild as mentioned above - that thing with copying the source was done after nothing else worked.

The handbook says to be able to use semodule you have to be in sysadm_r role. I did that as root on console (direct login, no su) and I tried it with 'newrole' and according to the ps output I was in sysadm role.

Still the same message...

----------

## b_koepke

hmm... this sounds like a pretty complicated error. 

I had one similar; however, I cannot remember what I did to fix it. 

It may have to do with the fact that you are currently using sources to load your policies. (you ran 'make load' in the /etc/selinux/policy/src directory, so now the semodule tool sees that you have already loaded the policy from different sources) 

Your sestatus output displays that the config is from refpolicy. I don't know how to reset this. (maybe it is in the options in /etc/selinux/policy/src?, you could try running 'make clean' or something similar to unload the selinux policy)

I don't know what to suggest other than to remove the selinux use flag, emerge -uDN world, reboot and add the selinux use flag again, and run emerge -uDN world. (Hoping that you did some small thing wrong during the previous installation). 

Then instead of running make load, just try semodule -B, this problem may also be because your files have not been labeled yet. rlpkg -a. (I will try to figure something better out later if this doesn't work)

----------

## Lawless

This semodule error comes also when I have no policy loaded (sestatus: disabled)...

I set up a UML where I currently try it again with a plain system. I'll tell you what happens.

----------

## flipper203

Hello, 

I have the same kind of problem: https://forums.gentoo.org/viewtopic-t-512934.html maybe someone can help me.  :Embarassed: 

----------

## Lawless

Got it working in the UML

I had to:

```

# cd /usr/share/selinux/strict/

# semodule -b base.pp

# semodule -R

# sestatus

SELinux status:                 enabled

SELinuxfs mount:                /selinux

Current mode:                   permissive

Mode from config file:          permissive

Policy version:                 20

Policy from config file:        strict

```

----------

