How do I build selinux policy from source?

I am trying to build the selinux policy from source using the make file.

make policy

output:

Compiling refpolicy base module
/usr/bin/checkmodule base.conf -o tmp/base.mod
policy/modules/kernel/domain.te:723:ERROR 'syntax error' at token 'container_spc_stream_connect' on line 176539:
#line 723
    container_spc_stream_connect(domain)
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [Rules.modular:102: tmp/base.mod] Error 1

Any help is appreciated,ty.

1 Like

Do you happen to have selinux-policy selinux-policy-devel :thinking:

Yes. Whats happening is that the policy is looking for the containers module which is not included in the policy.

The build process is explained here:
Tree - rpms/selinux-policy - src.fedoraproject.org

Thank you for the link, but these instructions are obsolete. Any other suggestions?

sudo fedpkg clone selinux-policy

Cloning into 'selinux-policy'...
The authenticity of host 'pkgs.fedoraproject.org (38.145.60.17)' can't be established.
RSA key fingerprint is SHA256:Q12OTyTeOHWlS54dTzy2BNu7wB8UKNf18+7WHIDsORc.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'pkgs.fedoraproject.org' (RSA) to the list of known hosts.
root@pkgs.fedoraproject.org: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
Could not execute clone: Failed to execute command.

Did I miss something?

The instruction linked above relies on the Fedora infrastructure and requires pre-configured authentication, but you can also build it locally like this:

sudo dnf install \
    rpmdevtools rpmlint rpmspectool git-core groff
git clone -b $(rpm -E f%{fedora}) \
    https://src.fedoraproject.org/rpms/selinux-policy.git
rpmdev-wipetree
rpmdev-setuptree
cp -f -a selinux-policy/. ~/rpmbuild/SOURCES
cd ~/rpmbuild/SOURCES
./make-rhat-patches.sh
rpmbuild -ba *.spec

sudo fedpkg clone -a selinux-policy did do the trick. Ty

I’ll try both ways and report my progress here. Ty @vgaetera

Using the first method:

fedpkg build
Kerberos authentication is used, but you do not have a valid credential.
Please use kinit to get credential with a principal that has realm FEDORAPROJECT.ORG
Could not execute build: Could not login to https://koji.fedoraproject.org/kojihub

Using the second method:

RPM build errors:
    Directory not found: /home/richiedaze/rpmbuild/BUILDROOT/selinux-policy-41.14-1.fc40.x86_64/var/lib/selinux/targeted/active
    File not found: /home/richiedaze/rpmbuild/BUILDROOT/selinux-policy-41.14-1.fc40.x86_64/var/lib/selinux/targeted/semanage.read.LOCK
    File not found: /home/richiedaze/rpmbuild/BUILDROOT/selinux-policy-41.14-1.fc40.x86_64/var/lib/selinux/targeted/semanage.trans.LOCK
    Directory not found: /home/richiedaze/rpmbuild/BUILDROOT/selinux-policy-41.14-1.fc40.x86_64/var/lib/selinux/targeted/active/modules
    File not found: /home/richiedaze/rpmbuild/BUILDROOT/selinux-policy-41.14-1.fc40.x86_64/var/lib/selinux/targeted/active/modules/100/base
    File not found: /home/richiedaze/rpmbuild/BUILDROOT/selinux-policy-41.14-1.fc40.x86_64/var/lib/selinux/targeted/active/commit_num
    File not found: /home/richiedaze/rpmbuild/BUILDROOT/selinux-policy-41.14-1.fc40.x86_64/var/lib/selinux/targeted/active/users_extra
    etc...

@vgaetera, the selinux-policy.spec does not mention anything about these files?

I get the same error. I am building from a toolbox, could that be the reason?

The method above works to build the the selinux policy from source on workstation.

NOTE:
This method currently does not work on atomic desktops using toolboxes. Further testing is necessary to figure out why the build fails on toolboxes.

1 Like