-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tim wrote: > 2008/12/27 Daniel J Walsh <dwalsh@xxxxxxxxxx>: > xing li wrote: >>>> 2008/12/27 xing li <lixing.1006@xxxxxxxxx> >>>> >>>>> It's work was rearly done in the "/sbin/init" until the last step of >>>>> system initialization, while the source >>>>> of "/sbin/init" is included in the sysvinit. and it finally invoked >>>>> "security_load_policy()" to load the binary >>>>> policy "policy.XX" to the kernel structure policydb. >>>>> >>>>> and i have confused by the question: >>>>> when and how the selinux label the all file system according >>>>> to "file_contexts"? >>>>> and i found the clue that when we "touch /.autorelabel",the system would >>>>> invoke >>>>> "fixfiles relabel" to relabel the file system. but i could't find the >>>>> relevant source code. >>>>> Maybt somebody has investigated that and could share infomation? >>>>> >>>>> 2008/12/27 Tim <timasyk@xxxxxxxxx> >>>>> >>>>> OK. I'm trying to trace Linux sources to find exact sequence of >>>>>> function calls for loading SELinux policy into Linux kernel at boot >>>>>> time. And I've lost... to many calls to trace. >>>>>> >>>>>> Maybe somebody has that tracing already and can share information? >>>>>> >>>>>> Tim >>>>>> >>>>>> 2008/12/26 Justin P. Mattock <justinmattock@xxxxxxxxx>: >>>>>> > I think, one of the main jobs >>>>>>> For libselinux is reading the >>>>>>> Policy, from it specefied location >>>>>>> And then mounting the selinuxfs. >>>>>>> Or vise versa mounting selinuxfs, >>>>>>> And then reading the policy. As >>>>>>> For changing the location, not >>>>>>> To sure what the code looks like, >>>>>>> Maybe it's just a few liners to >>>>>>> Do what you wanted. >>>>>>> >>>>>>> justin P. Mattock >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Dec 25, 2008, at 5:36 AM, Tim <timasyk@xxxxxxxxx> wrote: >>>>>>> >>>>>>>> 2008/12/25 Justin P. Mattock <justinmattock@xxxxxxxxx>: >>>>>>>>> Justin P. Mattock wrote: >>>>>>>>>> Paul Howarth wrote: >>>>>>>>>>> Tim wrote: >>>>>>>>>>>> Hello all, >>>>>>>>>>>> >>>>>>>>>>>> I was wondering, how can I change default location of SELinux >>>>>> policy >>>>>>>>>>>> from /etc/selinux/_policyname_ to some other path? >>>>>>>>>>>> What source codes should be modified for that? >>>>>>>>>>>> >>>>>>>>>>>> The reason to do that are: >>>>>>>>>>>> - I want to work with loadable policy modules --> that requires >>>>>>>>>>>> /etc/selinux/_policyname_ directory to be writable. >>>>>>>>>>>> - limitation of my filesystem having /etc directory (it is >>>>>> read-only >>>>>>>>>>>> filesystem) >>>>>>>>>>>> - unfortunately, I can not mount /etc into some other writable >>>>>>>>>>>> filesystem >>>>>>>>>>> Perhaps you could mount /etc/selinux/_policyname_ rather than /etc >>>>>> from >>>>>>>>>>> a >>>>>>>>>>> writeable filesystem? >>>>>>>>>>> >>>>>>>>>>> Paul. >>>>>>>>>>> cy >>>>>>>>>>> -- >>>>>>>>>>> This message was distributed to subscribers of the selinux mailing >>>>>>>>>>> list. >>>>>>>>>>> If you no longer wish to subscribe, send mail to >>>>>>>>>>> majordomo@xxxxxxxxxxxxx >>>>>>>>>>> with >>>>>>>>>>> the words "unsubscribe selinux" without quotes as the message. >>>>>>>>>>> >>>>>>>>>> This is confusing to me: >>>>>>>>>> it sounds like there not trying to mount >>>>>>>>>> SELinux, but have the policy load >>>>>>>>>> in a different location other than >>>>>>>>>> /etc/selinux/* >>>>>>>>>> >>>>>>>>>> regards; >>>>>>>>>> >>>>>>>>>> Justin P. Mattock >>>>>>>>>> >>>>>>>>>> >>>>>>>>> On second thought from what it sounds, >>>>>>>>> to have SELinux be read in another location, >>>>>>>>> you would have to locate in >>>>>>>>> libselinux the location from where the library is >>>>>>>>> told to read the the policy, and simple just change the location, >>>>>>>>> but then you might have to change the kernel, all the libraries, >>>>>>>>> all apps, etc.. that read /etc/selinux/* >>>>>>>>> maybe a simple change of /etc/selinux/config >>>>>>>>> seems simpler. rather than going through >>>>>>>>> lines of code. >>>>>>>>> Anyways, >>>>>>>>> "Merry christmas" >>>>>>>>> >>>>>>>>> >>>>>>>>> regards; >>>>>>>>> >>>>>>>>> Justin P. Mattock >>>>>>>> You are right. I would like kernel to read policy just from different >>>>>>>> location. >>>>>>>> >>>>>>>> So options are as folowing: >>>>>>>> 1. Change libselinux sources and sources of all related apps + kernel. >>>>>>>> 2. Try to change /etc/selinux/config. >>>>>>>> >>>>>>>> Regarding second one - manuals on SELinux say that /etc/selinux/config >>>>>>>> contains name of policy to be loaded. And that name _policyname_ is a >>>>>>>> name of directory in /etc/selinux/_policyname_ having subdirectory >>>>>>>> policy with actual policy file. >>>>>>>> >>>>>>>> So, it seems only option #1 is the one to use. >>>>>>>> >>>>>>>> Does kernel use libselinux to read policy or it reads it directly from >>>>>>>> filesystem? >>>>>>>> Any other pitfalls? >>>>>>>> >>>>>>>> Tim >>>>>> -- >>>>>> This message was distributed to subscribers of the selinux mailing list. >>>>>> If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxxxxxx >>>>>> the words "unsubscribe selinux" without quotes as the message. >>>>>> > Everything uses libselinux to find the paths to policy. So if you > wanted to change the location of where SELinux stores the policy you > would need to modify libselinux. In the file src/selinux_config.c > you would modify > > $ grep /etc/selinux src/selinux_config.c > #define SELINUXDIR "/etc/selinux/" > > All of the other paths are relative to this. > > I do not believe that we have hard coded this path in to any other user > tools. If we have that is a bug. I don't understand why you would want > to change this path, and would suggest that you use bind mounts or > remote mounts if you want these files to be located somewhere else. You > would also need to maintain the file context if you do this. >> > The motivation for having alternative path for selinux policy > directory _policyname_ in /etc/selinux/_policyname_ is as following: > 1) I have legacy system that mounts root filesystem including > /etc/selinux/... in read-only mode; > 2) also the system mounts a writable filesystem; > 3) I can not change that behavior (modes of mounting, filesystem > types, sequence of mounting, number of mount points etc) of legacy > system for some reason; > 4) I can freely modify sources -> kernel, selinux-related (under above > limitations). > 5) there is a requirement to support modular policy infrastructure in > that system; > To do that I plan to make SELinux subsystem operate on policy-related > files on different location --> on writable filesystem. > Could you please clarify that? You would also need to maintain the file context if you do this. > Tim If you want to maintain the SELinux files on say /var/lib/selinux then all of the file context under /var/lib/selinux needs to match that of /etc/selinux So /var/lib/selinux/targeted needs to be labeled selinux_config_t. In Rawhide for example I have the following labeling for /etc/selinux # grep /etc/selinux /etc/selinux/targeted/contexts/files/file_contexts /etc/selinux(/.*)? system_u:object_r:selinux_config_t:s0 /etc/selinux/([^/]*/)?seusers -- system_u:object_r:selinux_config_t:s0 /etc/selinux/([^/]*/)?users(/.*)? -- system_u:object_r:selinux_config_t:s0 /etc/selinux/([^/]*/)?policy(/.*)? system_u:object_r:semanage_store_t:s0 /etc/selinux/([^/]*/)?setrans\.conf -- system_u:object_r:selinux_config_t:s0 /etc/selinux/([^/]*/)?contexts(/.*)? system_u:object_r:default_context_t:s0 /etc/selinux/([^/]*/)?contexts/files(/.*)? system_u:object_r:file_context_t:s0 /etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- system_u:object_r:semanage_read_lock_t:s0 /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- system_u:object_r:semanage_trans_lock_t:s0 /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? system_u:object_r:semanage_store_t:s0 You can setup a matching labels for /var/lib/selinux with the semanage command. # semanage fcontext -a -t selinux_config_t '/var/lib/selinux(/.*)?' ... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAklWIAEACgkQrlYvE4MpobP53gCggdQuj/z501PotHemK6MSYj65 u8gAnAxklaBSNv6wYmZnQjiB+mleSTdR =BTBw -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
