When building a monolithic policy with 'make load', the selinux_config(5) file 'SELINUXTYPE' entry determines what policy is loaded as load_policy(8) does not take a path value (it always loads the active system policy as defined by /etc/selinux/config). Currently it is possible to load the wrong binary policy, for example if the Reference Policy source is located at: /etc/selinux/refpolicy and the /etc/selinux/config file has the following entry: SELINUXTYPE=targeted Then the /etc/selinux/targeted/policy/policy.<ver> is loaded when 'make load' is executed. Another example is that if the Reference Policy source is located at: /tmp/custom-rootfs/refpolicy and the /etc/selinux/config file has the following entry: SELINUXTYPE=refpolicy Then the /etc/selinux/refpolicy/policy/policy.<ver> is loaded when 'make DESTDIR=/tmp/custom-rootfs load' is executed (not the /tmp/custom-rootfs/refpolicy/policy/policy.<ver> that the developer thought would be loaded). Resolve these issues by using sestatus(8) to resolve the policy root, then checking the selinux_config(5) file for the appropriate SELINUXTYPE entry. Remove the '@touch $(tmpdir)/load' line as the file is never referenced. Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx> --- Makefile | 1 + Rules.monolithic | 31 ++++++++++++++++++++++++++++--- 2 files changed, 29 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index 6ba215f1..88a5e78f 100644 --- a/Makefile +++ b/Makefile @@ -64,6 +64,7 @@ SEMOD_EXP ?= $(tc_usrbindir)/semodule_expand LOADPOLICY ?= $(tc_usrsbindir)/load_policy SEPOLGEN_IFGEN ?= $(tc_usrbindir)/sepolgen-ifgen SETFILES ?= $(tc_sbindir)/setfiles +SESTATUS ?= $(tc_sbindir)/sestatus XMLLINT ?= $(BINDIR)/xmllint SECHECK ?= $(BINDIR)/sechecker diff --git a/Rules.monolithic b/Rules.monolithic index a8ae98d1..01e445ca 100644 --- a/Rules.monolithic +++ b/Rules.monolithic @@ -42,6 +42,12 @@ vpath %.te $(all_layers) vpath %.if $(all_layers) vpath %.fc $(all_layers) +# load_policy(8) loads policy from <SELINUXDIR>/<SELINUXTYPE>/policy/policy.<ver> +# Therefore need to determine if policy to load is in the right place, +SELINUXDIR ?= $(strip $(shell $(SESTATUS) | $(AWK) '/^SELinux root directory:/{ print $$4 }')) +# and that <SELINUXDIR>/config contains the correct SELINUXTYPE entry. +SELINUXTYPE ?= $(strip $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' $(SELINUXDIR)/config)) + ######################################## # # default action: build policy locally @@ -91,9 +97,28 @@ endif # Load the binary policy # reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles) - @echo "Loading $(NAME) $(loadpath)" - $(verbose) $(LOADPOLICY) -q $(loadpath) - @touch $(tmpdir)/load +ifneq ($(SELINUXTYPE),$(NAME)) + $(eval NO_LOAD := $(shell echo 1)) + @echo + @echo "Warning: Cannot load policy as $(SELINUXDIR)/config file contains:" + @echo -e "\tSELINUXTYPE=$(SELINUXTYPE)" + @echo "Edit $(SELINUXDIR)/config and set \"SELINUXTYPE=$(NAME)\"." + @echo +endif + +ifneq ($(topdir),$(SELINUXDIR)) + $(eval NO_LOAD := $(shell echo 1)) + @echo + @echo "Warning: Cannot load policy as policy root MUST be $(SELINUXDIR)/$(NAME)" + @echo +endif + + @if test -z $(NO_LOAD); then \ + echo "Loading $(NAME) $(loadpath)" ;\ + $(verbose) $(LOADPOLICY) -q $(loadpath) ;\ + else \ + echo "Resolve binary policy configuration" ;\ + fi ######################################## # -- 2.29.2