Re: How is policy.31 created from modules under /usr/share/selinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2020-12-09 at 10:07 -0500, Steve Lawrence wrote:
> 
> On 12/9/20 9:37 AM, Richard Haines wrote:
> > On Wed, 2020-12-09 at 19:42 +0530, Ashish Mishra wrote:
> > > Hi Richard ,
> > > 
> > > Will check with the monolithic policy to check the behavior of
> > > the
> > > semodule as you suggested.
> > > 
> > > Is there any similar approach / workaround for modular one?
> > 
> > I've only had a quick look at code and I could see two ways to fix:
> > 1) Modify the Rules.modular part of the make file to move or copy
> > the
> > policy and file contexts set of files over to $DESTDIR.
> > 2) Modify semodule/semanage to handle $DESTDIR. I think this would
> > be
> > more difficult to fix as lots go on here.
> > 
> 
> semodule does accept the -p option to change the root, so we could
> feed
> DESTDIR into that. For example, a minimally tested patch:
> 
> diff --git a/Rules.modular b/Rules.modular
> index d6224e95..64d953dc 100644
> --- a/Rules.modular
> +++ b/Rules.modular
> @@ -55,8 +55,8 @@ load: $(instpkg) $(appfiles)
>  # make sure two directories exist since they are not
>  # created by semanage
>         @echo "Loading configured modules."
> -       @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath))
> -       $(verbose) $(SEMODULE) -s $(NAME) -i $(modpkgdir)/$(notdir
> $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod))
> +       @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath))
> $(DESTDIR)/var/lib/selinux
> +       $(verbose) $(SEMODULE) -p $(DESTDIR)/ -s $(NAME) -i
> $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i
> $(modpkgdir)/$(mod))
> 
>  ########################################
>  #
> 
> 
> Note that we need to create $(DESTDIR)/var/lib/selinux since semanage
> expects that to already exist.
> 
> Though, I would suggest that maybe the "install" target should run
> the
> above semodule command with the --noreload option to install all
> files
> and build the policy binary but not actually load it into the kernel.
> Then make load just becomes something like
> 
>   semodule -p $(DESTDIR)/ --reload
> 
> Makes a clear distinction between installing everything that's needed
> vs actually loading the policy into the kernel. Happy to create a
> patch
> if that approach makes sense.

Thanks Steve, that worked for me, however I guess Chris needs to
comment as the $(DESTDIR)/var/lib/selinux needs to be generated and
maybe a clarification comment in the README. Also need comment
regarding the use of --reload/--noreload.






[Index of Archives]     [AMD Graphics]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux