Hi Chris , Continuing on the inputs Richard shared , I was able to zero down to the problem. To recreate , step can be directly tested by command mentioned in step-c a) I am having custom-rootfs under which I am trying to get the refpolicy installed. b) By using make load DESTDIR=/tmp/custom-rootfs , the setup reaches to state where # semodule -s refpolicy -i NAME-OF-MODULE is triggered for every module under /tmp/custom-rootfs/usr/share/selinux/refpolicy ==> This semodule behavior is causing the problem. c) By default semodule install the file under /etc/selinux of HOST system rather than /tmp/custom-rootfs/etc/selinux This behaviour can be recreated / verified by : # semodule -s selinux-store-name -i sample.pp This instruction creates an entry of selinux-store-name and creates policy.32 file there . ==> Instead , here i wanted the file to be created under /tmp/custom-rootfs/etc/selinux & not /etc/selinux d) Currently trying to look at the file from where this instruction is executed & then check if somehow semodule can be made to use /tmp/custom-rootfs/etc/selinux over default /etc/selinux Thanks for sharing the info w.r.t your use case , will look at them . They can help me to understand the process in a better way. Please feel free to revert if any further details are required or if i am missing any aspect . Thanks , Ashish On Tue, Dec 8, 2020 at 9:06 PM Chris PeBenito <pebenito@xxxxxxxx> wrote: > > (SELinux main mail list to BCC since this is a refpolicy question.) > > On 12/7/20 8:26 AM, Ashish Mishra wrote: > > 4) Further debugging I can confirm that the final binary (policy.31) > > seems to be > > using HARD-CODDED location of /etc/selinux instead of what is > > being passed as DESTDIR. > > The policy.31 is created not at custom-embedded-rootfs location. > > > > Due to this : > > - policy.31 is created in /etc/selinux/refpolicy/policy/policy.31 > > instead of what i was expecting at > > /tmp/custom-embedded-rootfs/etc/selinux/refpolicy/policy/policy.31 > > as DESTDIR=${ROOT} and i do get *.pp at the expected > > location of /tmp/custom-embedded-rootfs/etc/selinux/refpolicy/src/policy > > ${MAKE} -C ${ROOT}/etc/selinux/${PKG}/src/policy load > > DESTDIR=${ROOT} > > > I can't reproduce your issue. I use monolithic policy regularly in the way > you're using it. > > Here's the Makefile variables: > > From Makefile: > topdir := $(DESTDIR)/etc/selinux > installdir := $(topdir)/$(strip $(NAME)) > policypath := $(installdir)/policy > > From Rules.monolithic: > loadpath = $(policypath)/$(notdir $(polver)) > > $(notdir $(polver)) is "policy.31" and NAME is what you have in build.conf, e.g. > "refopolicy". > > > Then the install target for monolithic looks like this (with "echo"s removed): > > $(loadpath): $(policy_conf) > @$(INSTALL) -d -m 0755 $(@D) > $(verbose) $(CHECKPOLICY) -U $(UNK_PERMS) $^ -o $@ > > -- > Chris PeBenito