Skip to content

SETools 4 on Fedora 23

Chris PeBenito edited this page May 4, 2016 · 6 revisions

SETools now requires libsepol 2.5, which is not available on Fedora 23. The following instructions are no longer complete.

To use SETools4 locally on Fedora 23, you'll need to install the following packages:

  • bison
  • flex
  • gcc
  • libsepol-devel
  • libsepol-static
  • libselinux-devel
  • policycoreutils-python3
  • python3-networkx
  • swig
  • bzip2-devel
  • redhat-rpm-config
  • python3-qt5 (if using GUI tools)

Fedora 23 has Python 2.7 and 3.4; change SETools to explicitly use Python 3:

$ patch -p1 < patches/explicit-python3.diff

At this point you should be able to run the unit tests, which will also compile the C portion of SETools:

$ python3 setup.py test

You'll get these errors due to a bug in libsepol-2.3:

======================================================================
FAIL: test_009_lookup_cat_not_assoc (tests.policyrep.mls.LevelTest)
Level lookup with category not associated with sensitivity.
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/root/setools/tests/policyrep/mls.py", line 489, in test_009_lookup_cat_not_assoc
    self.assertRaises(InvalidLevel, level_factory, self.p.policy, "s0:c0,c4")
AssertionError: InvalidLevel not raised

======================================================================
FAIL: test_007_range_lookup_invalid_range_low (tests.policyrep.mls.RangeTest)
Range lookup with an invalid range (low).
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/root/setools/tests/policyrep/mls.py", line 730, in test_007_range_lookup_invalid_range_low
    self.assertRaises(InvalidRange, range_factory, self.p.policy, "s0:c13-s2:c13")
AssertionError: InvalidRange not raised

======================================================================
FAIL: test_008_range_lookup_invalid_range_high (tests.policyrep.mls.RangeTest)
Range lookup with an invalid range (high).
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/root/setools/tests/policyrep/mls.py", line 735, in test_008_range_lookup_invalid_range_high
    self.assertRaises(InvalidRange, range_factory, self.p.policy, "s0-s0:c13")
AssertionError: InvalidRange not raised

----------------------------------------------------------------------

These errors would only be hit if an invalid level or range is entered by the user and only if it is invalid because a category was not associated to a level. Reference Policy associates all categories to all levels (Fedora's policy is based on Reference Policy), so these errors should never be hit except on heavily customized policies.

You should be able to use the command line tools locally now. If you installed python3-qt5, the GUI tools should also be usable.

$ ./seinfo
Statistics for policy file: /sys/fs/selinux/policy
Policy Version: 29 (MLS enabled, allow unknown permissions)
  Classes:            92    Permissions:       439
  Sensitivities:       1    Categories:       1024
  Types:            4665    Attributes:        251
  Users:               8    Roles:              14
  Booleans:          306    Cond. Expr.:       357
  Allow:          100024    Neverallow:          0
  Auditallow:        153    Dontaudit:        7963
  Type_trans:      67027    Type_change:        74
  Type_member:        35    Range_trans:      5723
  Role allow:         39    Role_trans:        418
  Constraints:        38    Validatetrans:       0
  MLS Constrain:      71    MLS Val. Tran:       0
  Initial SIDs:       27    Fs_use:             28
  Genfscon:          103    Portcon:           581
  Netifcon:            0    Nodecon:             0
  Permissives:         0    Polcap:              2
  Defaults:            7    Typebounds:          0
Clone this wiki locally