When building a monolithic policy with 'make load', the
selinux_config(5) file 'SELINUXTYPE' entry determines what policy
is loaded as load_policy(8) does not take a path value (it always loads
the active system policy as defined by /etc/selinux/config).
Currently it is possible to load the wrong binary policy, for example if
the Reference Policy source is located at:
/etc/selinux/refpolicy
and the /etc/selinux/config file has the following entry:
SELINUXTYPE=targeted
Then the /etc/selinux/targeted/policy/policy.<ver> is loaded when
'make load' is executed.
Another example is that if the Reference Policy source is located at:
/tmp/custom-rootfs/refpolicy
and the /etc/selinux/config file has the following entry:
SELINUXTYPE=refpolicy
Then the /etc/selinux/refpolicy/policy/policy.<ver> is loaded when
'make DESTDIR=/tmp/custom-rootfs load' is executed (not the
/tmp/custom-rootfs/refpolicy/policy/policy.<ver> that the developer
thought would be loaded).
Resolve these issues by using sestatus(8) to resolve the policy root, then
checking the selinux_config(5) file for the appropriate SELINUXTYPE entry.
Remove the '@touch $(tmpdir)/load' line as the file is never referenced.
Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>
---
Makefile | 1 +
Rules.monolithic | 31 ++++++++++++++++++++++++++++---
2 files changed, 29 insertions(+), 3 deletions(-)
diff --git a/Makefile b/Makefile
index 6ba215f1..88a5e78f 100644
--- a/Makefile
+++ b/Makefile
@@ -64,6 +64,7 @@ SEMOD_EXP ?= $(tc_usrbindir)/semodule_expand
LOADPOLICY ?= $(tc_usrsbindir)/load_policy
SEPOLGEN_IFGEN ?= $(tc_usrbindir)/sepolgen-ifgen
SETFILES ?= $(tc_sbindir)/setfiles
+SESTATUS ?= $(tc_sbindir)/sestatus
XMLLINT ?= $(BINDIR)/xmllint
SECHECK ?= $(BINDIR)/sechecker
diff --git a/Rules.monolithic b/Rules.monolithic
index a8ae98d1..01e445ca 100644
--- a/Rules.monolithic
+++ b/Rules.monolithic
@@ -42,6 +42,12 @@ vpath %.te $(all_layers)
vpath %.if $(all_layers)
vpath %.fc $(all_layers)
+# load_policy(8) loads policy from <SELINUXDIR>/<SELINUXTYPE>/policy/policy.<ver>
+# Therefore need to determine if policy to load is in the right place,
+SELINUXDIR ?= $(strip $(shell $(SESTATUS) | $(AWK) '/^SELinux root directory:/{ print $$4 }'))
+# and that <SELINUXDIR>/config contains the correct SELINUXTYPE entry.
+SELINUXTYPE ?= $(strip $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' $(SELINUXDIR)/config))
+
########################################
#
# default action: build policy locally
@@ -91,9 +97,28 @@ endif
# Load the binary policy
#
reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles)
- @echo "Loading $(NAME) $(loadpath)"
- $(verbose) $(LOADPOLICY) -q $(loadpath)
- @touch $(tmpdir)/load
+ifneq ($(SELINUXTYPE),$(NAME))
+ $(eval NO_LOAD := $(shell echo 1))
+ @echo
+ @echo "Warning: Cannot load policy as $(SELINUXDIR)/config file contains:"
+ @echo -e "\tSELINUXTYPE=$(SELINUXTYPE)"
+ @echo "Edit $(SELINUXDIR)/config and set \"SELINUXTYPE=$(NAME)\"."
+ @echo
+endif
+
+ifneq ($(topdir),$(SELINUXDIR))
+ $(eval NO_LOAD := $(shell echo 1))
+ @echo
+ @echo "Warning: Cannot load policy as policy root MUST be $(SELINUXDIR)/$(NAME)"
+ @echo
+endif
+
+ @if test -z $(NO_LOAD); then \
+ echo "Loading $(NAME) $(loadpath)" ;\
+ $(verbose) $(LOADPOLICY) -q $(loadpath) ;\
+ else \
+ echo "Resolve binary policy configuration" ;\
+ fi
########################################
#
--
2.29.2
