Re: How is policy.31 created from modules under /usr/share/selinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Chris ,

Continuing on the inputs Richard shared , I was able to zero down to
the problem.
To recreate , step  can be directly tested by command mentioned in step-c

a) I am having custom-rootfs under which I am trying to get the
refpolicy installed.

b) By using make load DESTDIR=/tmp/custom-rootfs , the setup reaches
to state where
     # semodule -s refpolicy -i NAME-OF-MODULE is triggered for every
module under /tmp/custom-rootfs/usr/share/selinux/refpolicy
     ==> This semodule behavior is causing the problem.

c) By default semodule install the file under /etc/selinux of HOST
system rather than /tmp/custom-rootfs/etc/selinux
    This behaviour can be recreated / verified by :
    # semodule  -s selinux-store-name -i sample.pp
    This instruction creates an entry of selinux-store-name and
creates policy.32 file there .
     ==> Instead , here i wanted the file to be created under
/tmp/custom-rootfs/etc/selinux & not /etc/selinux

d) Currently trying to look at the file from where this instruction is
executed & then check if
    somehow semodule can be made to use /tmp/custom-rootfs/etc/selinux
over default /etc/selinux

Thanks for sharing the info w.r.t your use case , will look at them .
They can help me to understand the process in a better way.

Please feel free to revert if any further details are required or if i
am missing any aspect .

Thanks  ,
Ashish

















On Tue, Dec 8, 2020 at 9:06 PM Chris PeBenito <pebenito@xxxxxxxx> wrote:
>
> (SELinux main mail list to BCC since this is a refpolicy question.)
>
> On 12/7/20 8:26 AM, Ashish Mishra wrote:
> >   4)  Further debugging I can confirm that the final binary (policy.31)
> > seems to be
> >        using HARD-CODDED location of /etc/selinux instead of what is
> > being passed as DESTDIR.
> >       The policy.31 is created not at custom-embedded-rootfs location.
> >
> >        Due to this :
> >          - policy.31 is created in /etc/selinux/refpolicy/policy/policy.31
> >            instead of what i was expecting at
> > /tmp/custom-embedded-rootfs/etc/selinux/refpolicy/policy/policy.31
> >            as DESTDIR=${ROOT}  and i do get *.pp at the expected
> > location of /tmp/custom-embedded-rootfs/etc/selinux/refpolicy/src/policy
> >                   ${MAKE} -C ${ROOT}/etc/selinux/${PKG}/src/policy load
> > DESTDIR=${ROOT}
>
>
> I can't reproduce your issue.  I use monolithic policy regularly in the way
> you're using it.
>
> Here's the Makefile variables:
>
>  From Makefile:
>    topdir := $(DESTDIR)/etc/selinux
>    installdir := $(topdir)/$(strip $(NAME))
>    policypath := $(installdir)/policy
>
>  From Rules.monolithic:
>    loadpath = $(policypath)/$(notdir $(polver))
>
> $(notdir $(polver)) is "policy.31" and NAME is what you have in build.conf, e.g.
> "refopolicy".
>
>
> Then the install target for monolithic looks like this (with "echo"s removed):
>
> $(loadpath): $(policy_conf)
>          @$(INSTALL) -d -m 0755 $(@D)
>          $(verbose) $(CHECKPOLICY) -U $(UNK_PERMS)  $^ -o $@
>
> --
> Chris PeBenito



[Index of Archives]     [AMD Graphics]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux