On Wed, 2020-12-09 at 19:42 +0530, Ashish Mishra wrote: > Hi Richard , > > Will check with the monolithic policy to check the behavior of the > semodule as you suggested. > > Is there any similar approach / workaround for modular one? I've only had a quick look at code and I could see two ways to fix: 1) Modify the Rules.modular part of the make file to move or copy the policy and file contexts set of files over to $DESTDIR. 2) Modify semodule/semanage to handle $DESTDIR. I think this would be more difficult to fix as lots go on here. Maybe Chris could comment. > > Thanks for pointers again. > > Ashish > > > > > > On Wed, Dec 9, 2020 at 3:23 PM Richard Haines > <richard_c_haines@xxxxxxxxxxxxxx> wrote: > > > > On Tue, 2020-12-08 at 21:28 +0530, Ashish Mishra wrote: > > > Hi Chris , > > > > > > Continuing on the inputs Richard shared , I was able to zero down > > > to > > > the problem. > > > To recreate , step can be directly tested by command mentioned > > > in > > > step-c > > > > > > a) I am having custom-rootfs under which I am trying to get the > > > refpolicy installed. > > > > > > b) By using make load DESTDIR=/tmp/custom-rootfs , the setup > > > reaches > > > to state where > > > # semodule -s refpolicy -i NAME-OF-MODULE is triggered for > > > every > > > module under /tmp/custom-rootfs/usr/share/selinux/refpolicy > > > ==> This semodule behavior is causing the problem. > > > > > > c) By default semodule install the file under /etc/selinux of > > > HOST > > > system rather than /tmp/custom-rootfs/etc/selinux > > > This behaviour can be recreated / verified by : > > > # semodule -s selinux-store-name -i sample.pp > > > This instruction creates an entry of selinux-store-name and > > > creates policy.32 file there . > > > ==> Instead , here i wanted the file to be created under > > > /tmp/custom-rootfs/etc/selinux & not /etc/selinux > > > > > > d) Currently trying to look at the file from where this > > > instruction > > > is > > > executed & then check if > > > somehow semodule can be made to use /tmp/custom- > > > rootfs/etc/selinux > > > over default /etc/selinux > > > > > > Thanks for sharing the info w.r.t your use case , will look at > > > them . > > > They can help me to understand the process in a better way. > > > > > > Please feel free to revert if any further details are required or > > > if > > > i > > > am missing any aspect . > > > > I've been AWOL for a few days so just picking up on this query. I > > can > > now see the problem as described. If you generate a monolithic > > policy > > (MONOLITHIC=y) using sequence below it all works. However if you > > build > > a modular policy (MONOLITHIC=n), then semodule will install the > > final > > binary policy in /etc/selinux/refpolicy/policy regardless of > > DESTDIR. > > > > I guess semodule should obey orders?? > > > > export DESTDIR=/tmp/custom-embedded-rootfs > > mkdir refpol > > cd refpol > > git clone https://github.com/SELinuxProject/refpolicy.git > > Edit build.conf file to requirements (e.g. NAME = refpolicy etc.) > > make install-src > > cd /tmp/custom-embedded-rootfs/etc/selinux/refpolicy/src/policy > > make conf > > make load > > > > > > > > > > > > > > Thanks , > > > Ashish > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Tue, Dec 8, 2020 at 9:06 PM Chris PeBenito <pebenito@xxxxxxxx> > > > wrote: > > > > > > > > (SELinux main mail list to BCC since this is a refpolicy > > > > question.) > > > > > > > > On 12/7/20 8:26 AM, Ashish Mishra wrote: > > > > > 4) Further debugging I can confirm that the final binary > > > > > (policy.31) > > > > > seems to be > > > > > using HARD-CODDED location of /etc/selinux instead of > > > > > what > > > > > is > > > > > being passed as DESTDIR. > > > > > The policy.31 is created not at custom-embedded-rootfs > > > > > location. > > > > > > > > > > Due to this : > > > > > - policy.31 is created in > > > > > /etc/selinux/refpolicy/policy/policy.31 > > > > > instead of what i was expecting at > > > > > /tmp/custom-embedded- > > > > > rootfs/etc/selinux/refpolicy/policy/policy.31 > > > > > as DESTDIR=${ROOT} and i do get *.pp at the > > > > > expected > > > > > location of /tmp/custom-embedded- > > > > > rootfs/etc/selinux/refpolicy/src/policy > > > > > ${MAKE} -C > > > > > ${ROOT}/etc/selinux/${PKG}/src/policy load > > > > > DESTDIR=${ROOT} > > > > > > > > > > > > I can't reproduce your issue. I use monolithic policy > > > > regularly in > > > > the way > > > > you're using it. > > > > > > > > Here's the Makefile variables: > > > > > > > > From Makefile: > > > > topdir := $(DESTDIR)/etc/selinux > > > > installdir := $(topdir)/$(strip $(NAME)) > > > > policypath := $(installdir)/policy > > > > > > > > From Rules.monolithic: > > > > loadpath = $(policypath)/$(notdir $(polver)) > > > > > > > > $(notdir $(polver)) is "policy.31" and NAME is what you have in > > > > build.conf, e.g. > > > > "refopolicy". > > > > > > > > > > > > Then the install target for monolithic looks like this (with > > > > "echo"s removed): > > > > > > > > $(loadpath): $(policy_conf) > > > > @$(INSTALL) -d -m 0755 $(@D) > > > > $(verbose) $(CHECKPOLICY) -U $(UNK_PERMS) $^ -o $@ > > > > > > > > -- > > > > Chris PeBenito > > > >
