Hi Chris / Richard / Steve ,
I tried the suggested approach w.r.t Monolithic & also the patch suggested .
It seems it's creating policy.31 under DESTDIR directories .
a) Is there anything I can check specifically and share observations ?
b) Any link where we have this thread available for future reference.
I wanted to know if we have any archive which can be accessed like
other community
Something like https://lists.yoctoproject.org/g/poky/topics
Thanks ,
Ashish
On Thu, Dec 10, 2020 at 3:32 AM Chris PeBenito <pebenito@xxxxxxxx> wrote:
>
> On 12/9/20 11:13 AM, Richard Haines wrote:
> > On Wed, 2020-12-09 at 10:07 -0500, Steve Lawrence wrote:
> >>
> >> On 12/9/20 9:37 AM, Richard Haines wrote:
> >>> On Wed, 2020-12-09 at 19:42 +0530, Ashish Mishra wrote:
> >>>> Hi Richard ,
> >>>>
> >>>> Will check with the monolithic policy to check the behavior of
> >>>> the
> >>>> semodule as you suggested.
> >>>>
> >>>> Is there any similar approach / workaround for modular one?
> >>>
> >>> I've only had a quick look at code and I could see two ways to fix:
> >>> 1) Modify the Rules.modular part of the make file to move or copy
> >>> the
> >>> policy and file contexts set of files over to $DESTDIR.
> >>> 2) Modify semodule/semanage to handle $DESTDIR. I think this would
> >>> be
> >>> more difficult to fix as lots go on here.
> >>>
> >>
> >> semodule does accept the -p option to change the root, so we could
> >> feed
> >> DESTDIR into that. For example, a minimally tested patch:
> >>
> >> diff --git a/Rules.modular b/Rules.modular
> >> index d6224e95..64d953dc 100644
> >> --- a/Rules.modular
> >> +++ b/Rules.modular
> >> @@ -55,8 +55,8 @@ load: $(instpkg) $(appfiles)
> >> # make sure two directories exist since they are not
> >> # created by semanage
> >> @echo "Loading configured modules."
> >> - @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath))
> >> - $(verbose) $(SEMODULE) -s $(NAME) -i $(modpkgdir)/$(notdir
> >> $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod))
> >> + @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath))
> >> $(DESTDIR)/var/lib/selinux
> >> + $(verbose) $(SEMODULE) -p $(DESTDIR)/ -s $(NAME) -i
> >> $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i
> >> $(modpkgdir)/$(mod))
> >>
> >> ########################################
> >> #
> >>
> >>
> >> Note that we need to create $(DESTDIR)/var/lib/selinux since semanage
> >> expects that to already exist.
> >>
> >> Though, I would suggest that maybe the "install" target should run
> >> the
> >> above semodule command with the --noreload option to install all
> >> files
> >> and build the policy binary but not actually load it into the kernel.
> >> Then make load just becomes something like
> >>
> >> semodule -p $(DESTDIR)/ --reload
> >>
> >> Makes a clear distinction between installing everything that's needed
> >> vs actually loading the policy into the kernel. Happy to create a
> >> patch
> >> if that approach makes sense.
> >
> > Thanks Steve, that worked for me, however I guess Chris needs to
> > comment as the $(DESTDIR)/var/lib/selinux needs to be generated and
> > maybe a clarification comment in the README. Also need comment
> > regarding the use of --reload/--noreload.
>
> To my knowledge, the history is that semodule was only intended to run on the
> target system. If you wanted to precreate a policy you could
> semodule_link+semodule_expand like what is leveraged in the validate target.
>
> I'd take a patch that changes the Makefile behavior but would like some real
> testing first.
>
> --
> Chris PeBenito
