Hi Chris ,
Continuing on the inputs Richard shared , I was able to zero down to
the problem.
To recreate , step can be directly tested by command mentioned in step-c
a) I am having custom-rootfs under which I am trying to get the
refpolicy installed.
b) By using make load DESTDIR=/tmp/custom-rootfs , the setup reaches
to state where
# semodule -s refpolicy -i NAME-OF-MODULE is triggered for every
module under /tmp/custom-rootfs/usr/share/selinux/refpolicy
==> This semodule behavior is causing the problem.
c) By default semodule install the file under /etc/selinux of HOST
system rather than /tmp/custom-rootfs/etc/selinux
This behaviour can be recreated / verified by :
# semodule -s selinux-store-name -i sample.pp
This instruction creates an entry of selinux-store-name and
creates policy.32 file there .
==> Instead , here i wanted the file to be created under
/tmp/custom-rootfs/etc/selinux & not /etc/selinux
d) Currently trying to look at the file from where this instruction is
executed & then check if
somehow semodule can be made to use /tmp/custom-rootfs/etc/selinux
over default /etc/selinux
Thanks for sharing the info w.r.t your use case , will look at them .
They can help me to understand the process in a better way.
Please feel free to revert if any further details are required or if i
am missing any aspect .
Thanks ,
Ashish
On Tue, Dec 8, 2020 at 9:06 PM Chris PeBenito <pebenito@xxxxxxxx> wrote:
>
> (SELinux main mail list to BCC since this is a refpolicy question.)
>
> On 12/7/20 8:26 AM, Ashish Mishra wrote:
> > 4) Further debugging I can confirm that the final binary (policy.31)
> > seems to be
> > using HARD-CODDED location of /etc/selinux instead of what is
> > being passed as DESTDIR.
> > The policy.31 is created not at custom-embedded-rootfs location.
> >
> > Due to this :
> > - policy.31 is created in /etc/selinux/refpolicy/policy/policy.31
> > instead of what i was expecting at
> > /tmp/custom-embedded-rootfs/etc/selinux/refpolicy/policy/policy.31
> > as DESTDIR=${ROOT} and i do get *.pp at the expected
> > location of /tmp/custom-embedded-rootfs/etc/selinux/refpolicy/src/policy
> > ${MAKE} -C ${ROOT}/etc/selinux/${PKG}/src/policy load
> > DESTDIR=${ROOT}
>
>
> I can't reproduce your issue. I use monolithic policy regularly in the way
> you're using it.
>
> Here's the Makefile variables:
>
> From Makefile:
> topdir := $(DESTDIR)/etc/selinux
> installdir := $(topdir)/$(strip $(NAME))
> policypath := $(installdir)/policy
>
> From Rules.monolithic:
> loadpath = $(policypath)/$(notdir $(polver))
>
> $(notdir $(polver)) is "policy.31" and NAME is what you have in build.conf, e.g.
> "refopolicy".
>
>
> Then the install target for monolithic looks like this (with "echo"s removed):
>
> $(loadpath): $(policy_conf)
> @$(INSTALL) -d -m 0755 $(@D)
> $(verbose) $(CHECKPOLICY) -U $(UNK_PERMS) $^ -o $@
>
> --
> Chris PeBenito
