2008/12/27 Daniel J Walsh <dwalsh@xxxxxxxxxx>: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > xing li wrote: >> 2008/12/27 xing li <lixing.1006@xxxxxxxxx> >> >>> It's work was rearly done in the "/sbin/init" until the last step of >>> system initialization, while the source >>> of "/sbin/init" is included in the sysvinit. and it finally invoked >>> "security_load_policy()" to load the binary >>> policy "policy.XX" to the kernel structure policydb. >>> >>> and i have confused by the question: >>> when and how the selinux label the all file system according >>> to "file_contexts"? >>> and i found the clue that when we "touch /.autorelabel",the system would >>> invoke >>> "fixfiles relabel" to relabel the file system. but i could't find the >>> relevant source code. >>> Maybt somebody has investigated that and could share infomation? >>> >>> 2008/12/27 Tim <timasyk@xxxxxxxxx> >>> >>> OK. I'm trying to trace Linux sources to find exact sequence of >>>> function calls for loading SELinux policy into Linux kernel at boot >>>> time. And I've lost... to many calls to trace. >>>> >>>> Maybe somebody has that tracing already and can share information? >>>> >>>> Tim >>>> >>>> 2008/12/26 Justin P. Mattock <justinmattock@xxxxxxxxx>: >>>> > I think, one of the main jobs >>>>> For libselinux is reading the >>>>> Policy, from it specefied location >>>>> And then mounting the selinuxfs. >>>>> Or vise versa mounting selinuxfs, >>>>> And then reading the policy. As >>>>> For changing the location, not >>>>> To sure what the code looks like, >>>>> Maybe it's just a few liners to >>>>> Do what you wanted. >>>>> >>>>> justin P. Mattock >>>>> >>>>> >>>>> >>>>> On Dec 25, 2008, at 5:36 AM, Tim <timasyk@xxxxxxxxx> wrote: >>>>> >>>>>> 2008/12/25 Justin P. Mattock <justinmattock@xxxxxxxxx>: >>>>>>> Justin P. Mattock wrote: >>>>>>>> Paul Howarth wrote: >>>>>>>>> Tim wrote: >>>>>>>>>> Hello all, >>>>>>>>>> >>>>>>>>>> I was wondering, how can I change default location of SELinux >>>> policy >>>>>>>>>> from /etc/selinux/_policyname_ to some other path? >>>>>>>>>> What source codes should be modified for that? >>>>>>>>>> >>>>>>>>>> The reason to do that are: >>>>>>>>>> - I want to work with loadable policy modules --> that requires >>>>>>>>>> /etc/selinux/_policyname_ directory to be writable. >>>>>>>>>> - limitation of my filesystem having /etc directory (it is >>>> read-only >>>>>>>>>> filesystem) >>>>>>>>>> - unfortunately, I can not mount /etc into some other writable >>>>>>>>>> filesystem >>>>>>>>> Perhaps you could mount /etc/selinux/_policyname_ rather than /etc >>>> from >>>>>>>>> a >>>>>>>>> writeable filesystem? >>>>>>>>> >>>>>>>>> Paul. >>>>>>>>> cy >>>>>>>>> -- >>>>>>>>> This message was distributed to subscribers of the selinux mailing >>>>>>>>> list. >>>>>>>>> If you no longer wish to subscribe, send mail to >>>>>>>>> majordomo@xxxxxxxxxxxxx >>>>>>>>> with >>>>>>>>> the words "unsubscribe selinux" without quotes as the message. >>>>>>>>> >>>>>>>> This is confusing to me: >>>>>>>> it sounds like there not trying to mount >>>>>>>> SELinux, but have the policy load >>>>>>>> in a different location other than >>>>>>>> /etc/selinux/* >>>>>>>> >>>>>>>> regards; >>>>>>>> >>>>>>>> Justin P. Mattock >>>>>>>> >>>>>>>> >>>>>>> On second thought from what it sounds, >>>>>>> to have SELinux be read in another location, >>>>>>> you would have to locate in >>>>>>> libselinux the location from where the library is >>>>>>> told to read the the policy, and simple just change the location, >>>>>>> but then you might have to change the kernel, all the libraries, >>>>>>> all apps, etc.. that read /etc/selinux/* >>>>>>> maybe a simple change of /etc/selinux/config >>>>>>> seems simpler. rather than going through >>>>>>> lines of code. >>>>>>> Anyways, >>>>>>> "Merry christmas" >>>>>>> >>>>>>> >>>>>>> regards; >>>>>>> >>>>>>> Justin P. Mattock >>>>>> You are right. I would like kernel to read policy just from different >>>>>> location. >>>>>> >>>>>> So options are as folowing: >>>>>> 1. Change libselinux sources and sources of all related apps + kernel. >>>>>> 2. Try to change /etc/selinux/config. >>>>>> >>>>>> Regarding second one - manuals on SELinux say that /etc/selinux/config >>>>>> contains name of policy to be loaded. And that name _policyname_ is a >>>>>> name of directory in /etc/selinux/_policyname_ having subdirectory >>>>>> policy with actual policy file. >>>>>> >>>>>> So, it seems only option #1 is the one to use. >>>>>> >>>>>> Does kernel use libselinux to read policy or it reads it directly from >>>>>> filesystem? >>>>>> Any other pitfalls? >>>>>> >>>>>> Tim >>>> -- >>>> This message was distributed to subscribers of the selinux mailing list. >>>> If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxxxxxx >>>> the words "unsubscribe selinux" without quotes as the message. >>>> >>> >> > Everything uses libselinux to find the paths to policy. So if you > wanted to change the location of where SELinux stores the policy you > would need to modify libselinux. In the file src/selinux_config.c > you would modify > > $ grep /etc/selinux src/selinux_config.c > #define SELINUXDIR "/etc/selinux/" > > All of the other paths are relative to this. > > I do not believe that we have hard coded this path in to any other user > tools. If we have that is a bug. I don't understand why you would want > to change this path, and would suggest that you use bind mounts or > remote mounts if you want these files to be located somewhere else. You > would also need to maintain the file context if you do this. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iEYEARECAAYFAklWDbUACgkQrlYvE4MpobMTDQCeJx6Te9XwJs48kzug2elDLqe3 > IqIAoIYd6mC/jm3p/FkKYyIiijKME87A > =AXLC > -----END PGP SIGNATURE----- > The motivation for having alternative path for selinux policy directory _policyname_ in /etc/selinux/_policyname_ is as following: 1) I have legacy system that mounts root filesystem including /etc/selinux/... in read-only mode; 2) also the system mounts a writable filesystem; 3) I can not change that behavior (modes of mounting, filesystem types, sequence of mounting, number of mount points etc) of legacy system for some reason; 4) I can freely modify sources -> kernel, selinux-related (under above limitations). 5) there is a requirement to support modular policy infrastructure in that system; To do that I plan to make SELinux subsystem operate on policy-related files on different location --> on writable filesystem. Could you please clarify that? > You would also need to maintain the file context if you do this. Tim -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
