Stephen Smalley wrote:
On Mon, 2008-06-16 at 12:49 -0400, Vikram Ambrose wrote:
Without a chroot environment, How does one go about building/installing,
well basically the entire process including the bootstrap in a self
contained build directory?
I have been playing with refpolicy. And from what I have learned,
refpolicy allows you to define a LOCAL_ROOT but none of the selinux
userspace tools allow you to make use of a folder other than
/etc/selinux as that path is hard coded in all the source files.
In essence I want to know how to build a policy and tar it up, extract
it into a target rootfs and simply call "load_policy" to use it.
I'm not sure LOCAL_ROOT is what you think it is; there is a DESTDIR
definition though that gets used by the Fedora policy package build.
Looks like there is even a TEST_TOOLCHAIN definition although I haven't
used that one and it would have the same problems with libsemanage
helpers that you ran into earlier.
Yes sorry, i meant to say DESTDIR
Note that they get installed to $DESTDIR/usr/share/selinux/$SELINUXTYPE
by make install. In Fedora, they are packaged as such, then when you
install the package on the target host, they are unpacked
to /usr/share/selinux/$SELINUXTYPE by the package manager and then a %
post scriptlet runs semodule on them to install them under /etc/selinux
and load them.
In Fedora, does anaconda chroot into the sysroot and call semodule
during installation?
Options for you might include:
1) Run semodule_link and semodule_expand at build time to link and
expand the modules to a kernel policy up front. Then you can just put
the files into place without running semodule later.
I will investigate this option further, thank you.
2) Build monolithic policy instead of modular policy. Then there is no
intermediate step and no use of semodule*.
I would like to use a modular build.
You don't really want to load the policy on the build host, do you?
That's not a good idea - it will disturb the functioning of the build
host, and you still need to restart userspace to get everything into the
right domain.
No I dont want to load the policy on the build host, sorry for that
confusion.
--
Vikram Ambrose | Linux Products Division | WindRiver Corporation
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
