On Wed, 2020-12-09 at 10:07 -0500, Steve Lawrence wrote: > > On 12/9/20 9:37 AM, Richard Haines wrote: > > On Wed, 2020-12-09 at 19:42 +0530, Ashish Mishra wrote: > > > Hi Richard , > > > > > > Will check with the monolithic policy to check the behavior of > > > the > > > semodule as you suggested. > > > > > > Is there any similar approach / workaround for modular one? > > > > I've only had a quick look at code and I could see two ways to fix: > > 1) Modify the Rules.modular part of the make file to move or copy > > the > > policy and file contexts set of files over to $DESTDIR. > > 2) Modify semodule/semanage to handle $DESTDIR. I think this would > > be > > more difficult to fix as lots go on here. > > > > semodule does accept the -p option to change the root, so we could > feed > DESTDIR into that. For example, a minimally tested patch: > > diff --git a/Rules.modular b/Rules.modular > index d6224e95..64d953dc 100644 > --- a/Rules.modular > +++ b/Rules.modular > @@ -55,8 +55,8 @@ load: $(instpkg) $(appfiles) > # make sure two directories exist since they are not > # created by semanage > @echo "Loading configured modules." > - @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath)) > - $(verbose) $(SEMODULE) -s $(NAME) -i $(modpkgdir)/$(notdir > $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod)) > + @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath)) > $(DESTDIR)/var/lib/selinux > + $(verbose) $(SEMODULE) -p $(DESTDIR)/ -s $(NAME) -i > $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i > $(modpkgdir)/$(mod)) > > ######################################## > # > > > Note that we need to create $(DESTDIR)/var/lib/selinux since semanage > expects that to already exist. > > Though, I would suggest that maybe the "install" target should run > the > above semodule command with the --noreload option to install all > files > and build the policy binary but not actually load it into the kernel. > Then make load just becomes something like > > semodule -p $(DESTDIR)/ --reload > > Makes a clear distinction between installing everything that's needed > vs actually loading the policy into the kernel. Happy to create a > patch > if that approach makes sense. Thanks Steve, that worked for me, however I guess Chris needs to comment as the $(DESTDIR)/var/lib/selinux needs to be generated and maybe a clarification comment in the README. Also need comment regarding the use of --reload/--noreload.