[PATCH] Ensure correct monolithic binary policy is loaded

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



When building a monolithic policy with 'make load', the
selinux_config(5) file 'SELINUXTYPE' entry determines what policy
is loaded as load_policy(8) does not take a path value (it always loads
the active system policy as defined by /etc/selinux/config).

Currently it is possible to load the wrong binary policy, for example if
the Reference Policy source is located at:
/etc/selinux/refpolicy
and the /etc/selinux/config file has the following entry:
SELINUXTYPE=targeted
Then the /etc/selinux/targeted/policy/policy.<ver> is loaded when
'make load' is executed.

Another example is that if the Reference Policy source is located at:
/tmp/custom-rootfs/refpolicy
and the /etc/selinux/config file has the following entry:
SELINUXTYPE=refpolicy
Then the /etc/selinux/refpolicy/policy/policy.<ver> is loaded when
'make DESTDIR=/tmp/custom-rootfs load' is executed (not the
/tmp/custom-rootfs/refpolicy/policy/policy.<ver> that the developer
thought would be loaded).

Resolve these issues by using sestatus(8) to resolve the policy root, then
checking the selinux_config(5) file for the appropriate SELINUXTYPE entry.

Remove the '@touch $(tmpdir)/load' line as the file is never referenced.

Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>
---
 Makefile         |  1 +
 Rules.monolithic | 31 ++++++++++++++++++++++++++++---
 2 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/Makefile b/Makefile
index 6ba215f1..88a5e78f 100644
--- a/Makefile
+++ b/Makefile
@@ -64,6 +64,7 @@ SEMOD_EXP ?= $(tc_usrbindir)/semodule_expand
 LOADPOLICY ?= $(tc_usrsbindir)/load_policy
 SEPOLGEN_IFGEN ?= $(tc_usrbindir)/sepolgen-ifgen
 SETFILES ?= $(tc_sbindir)/setfiles
+SESTATUS ?= $(tc_sbindir)/sestatus
 XMLLINT ?= $(BINDIR)/xmllint
 SECHECK ?= $(BINDIR)/sechecker
 
diff --git a/Rules.monolithic b/Rules.monolithic
index a8ae98d1..01e445ca 100644
--- a/Rules.monolithic
+++ b/Rules.monolithic
@@ -42,6 +42,12 @@ vpath %.te $(all_layers)
 vpath %.if $(all_layers)
 vpath %.fc $(all_layers)
 
+# load_policy(8) loads policy from <SELINUXDIR>/<SELINUXTYPE>/policy/policy.<ver>
+# Therefore need to determine if policy to load is in the right place,
+SELINUXDIR ?= $(strip $(shell $(SESTATUS) | $(AWK) '/^SELinux root directory:/{ print $$4 }'))
+# and that <SELINUXDIR>/config contains the correct SELINUXTYPE entry.
+SELINUXTYPE ?= $(strip $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' $(SELINUXDIR)/config))
+
 ########################################
 #
 # default action: build policy locally
@@ -91,9 +97,28 @@ endif
 # Load the binary policy
 #
 reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles)
-	@echo "Loading $(NAME) $(loadpath)"
-	$(verbose) $(LOADPOLICY) -q $(loadpath)
-	@touch $(tmpdir)/load
+ifneq ($(SELINUXTYPE),$(NAME))
+	$(eval NO_LOAD := $(shell echo 1))
+	@echo
+	@echo "Warning: Cannot load policy as $(SELINUXDIR)/config file contains:"
+	@echo -e "\tSELINUXTYPE=$(SELINUXTYPE)"
+	@echo "Edit $(SELINUXDIR)/config and set \"SELINUXTYPE=$(NAME)\"."
+	@echo
+endif
+
+ifneq ($(topdir),$(SELINUXDIR))
+	$(eval NO_LOAD := $(shell echo 1))
+	@echo
+	@echo "Warning: Cannot load policy as policy root MUST be $(SELINUXDIR)/$(NAME)"
+	@echo
+endif
+
+	@if test -z $(NO_LOAD); then \
+		echo "Loading $(NAME) $(loadpath)" ;\
+		$(verbose) $(LOADPOLICY) -q $(loadpath) ;\
+	else \
+		echo "Resolve binary policy configuration" ;\
+	fi
 
 ########################################
 #
-- 
2.29.2




[Index of Archives]     [AMD Graphics]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux