2008/12/27 Daniel J Walsh <dwalsh@xxxxxxxxxx>: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Tim wrote: >> 2008/12/27 Daniel J Walsh <dwalsh@xxxxxxxxxx>: >> xing li wrote: >>>>> 2008/12/27 xing li <lixing.1006@xxxxxxxxx> >>>>> >>>>>> It's work was rearly done in the "/sbin/init" until the last step of >>>>>> system initialization, while the source >>>>>> of "/sbin/init" is included in the sysvinit. and it finally invoked >>>>>> "security_load_policy()" to load the binary >>>>>> policy "policy.XX" to the kernel structure policydb. >>>>>> >>>>>> and i have confused by the question: >>>>>> when and how the selinux label the all file system according >>>>>> to "file_contexts"? >>>>>> and i found the clue that when we "touch /.autorelabel",the system would >>>>>> invoke >>>>>> "fixfiles relabel" to relabel the file system. but i could't find the >>>>>> relevant source code. >>>>>> Maybt somebody has investigated that and could share infomation? >>>>>> >>>>>> 2008/12/27 Tim <timasyk@xxxxxxxxx> >>>>>> >>>>>> OK. I'm trying to trace Linux sources to find exact sequence of >>>>>>> function calls for loading SELinux policy into Linux kernel at boot >>>>>>> time. And I've lost... to many calls to trace. >>>>>>> >>>>>>> Maybe somebody has that tracing already and can share information? >>>>>>> >>>>>>> Tim >>>>>>> >>>>>>> 2008/12/26 Justin P. Mattock <justinmattock@xxxxxxxxx>: >>>>>>> > I think, one of the main jobs >>>>>>>> For libselinux is reading the >>>>>>>> Policy, from it specefied location >>>>>>>> And then mounting the selinuxfs. >>>>>>>> Or vise versa mounting selinuxfs, >>>>>>>> And then reading the policy. As >>>>>>>> For changing the location, not >>>>>>>> To sure what the code looks like, >>>>>>>> Maybe it's just a few liners to >>>>>>>> Do what you wanted. >>>>>>>> >>>>>>>> justin P. Mattock >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Dec 25, 2008, at 5:36 AM, Tim <timasyk@xxxxxxxxx> wrote: >>>>>>>> >>>>>>>>> 2008/12/25 Justin P. Mattock <justinmattock@xxxxxxxxx>: >>>>>>>>>> Justin P. Mattock wrote: >>>>>>>>>>> Paul Howarth wrote: >>>>>>>>>>>> Tim wrote: >>>>>>>>>>>>> Hello all, >>>>>>>>>>>>> >>>>>>>>>>>>> I was wondering, how can I change default location of SELinux >>>>>>> policy >>>>>>>>>>>>> from /etc/selinux/_policyname_ to some other path? >>>>>>>>>>>>> What source codes should be modified for that? >>>>>>>>>>>>> >>>>>>>>>>>>> The reason to do that are: >>>>>>>>>>>>> - I want to work with loadable policy modules --> that requires >>>>>>>>>>>>> /etc/selinux/_policyname_ directory to be writable. >>>>>>>>>>>>> - limitation of my filesystem having /etc directory (it is >>>>>>> read-only >>>>>>>>>>>>> filesystem) >>>>>>>>>>>>> - unfortunately, I can not mount /etc into some other writable >>>>>>>>>>>>> filesystem >>>>>>>>>>>> Perhaps you could mount /etc/selinux/_policyname_ rather than /etc >>>>>>> from >>>>>>>>>>>> a >>>>>>>>>>>> writeable filesystem? >>>>>>>>>>>> >>>>>>>>>>>> Paul. >>>>>>>>>>>> cy >>>>>>>>>>>> -- >>>>>>>>>>>> This message was distributed to subscribers of the selinux mailing >>>>>>>>>>>> list. >>>>>>>>>>>> If you no longer wish to subscribe, send mail to >>>>>>>>>>>> majordomo@xxxxxxxxxxxxx >>>>>>>>>>>> with >>>>>>>>>>>> the words "unsubscribe selinux" without quotes as the message. >>>>>>>>>>>> >>>>>>>>>>> This is confusing to me: >>>>>>>>>>> it sounds like there not trying to mount >>>>>>>>>>> SELinux, but have the policy load >>>>>>>>>>> in a different location other than >>>>>>>>>>> /etc/selinux/* >>>>>>>>>>> >>>>>>>>>>> regards; >>>>>>>>>>> >>>>>>>>>>> Justin P. Mattock >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> On second thought from what it sounds, >>>>>>>>>> to have SELinux be read in another location, >>>>>>>>>> you would have to locate in >>>>>>>>>> libselinux the location from where the library is >>>>>>>>>> told to read the the policy, and simple just change the location, >>>>>>>>>> but then you might have to change the kernel, all the libraries, >>>>>>>>>> all apps, etc.. that read /etc/selinux/* >>>>>>>>>> maybe a simple change of /etc/selinux/config >>>>>>>>>> seems simpler. rather than going through >>>>>>>>>> lines of code. >>>>>>>>>> Anyways, >>>>>>>>>> "Merry christmas" >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> regards; >>>>>>>>>> >>>>>>>>>> Justin P. Mattock >>>>>>>>> You are right. I would like kernel to read policy just from different >>>>>>>>> location. >>>>>>>>> >>>>>>>>> So options are as folowing: >>>>>>>>> 1. Change libselinux sources and sources of all related apps + kernel. >>>>>>>>> 2. Try to change /etc/selinux/config. >>>>>>>>> >>>>>>>>> Regarding second one - manuals on SELinux say that /etc/selinux/config >>>>>>>>> contains name of policy to be loaded. And that name _policyname_ is a >>>>>>>>> name of directory in /etc/selinux/_policyname_ having subdirectory >>>>>>>>> policy with actual policy file. >>>>>>>>> >>>>>>>>> So, it seems only option #1 is the one to use. >>>>>>>>> >>>>>>>>> Does kernel use libselinux to read policy or it reads it directly from >>>>>>>>> filesystem? >>>>>>>>> Any other pitfalls? >>>>>>>>> >>>>>>>>> Tim >>>>>>> -- >>>>>>> This message was distributed to subscribers of the selinux mailing list. >>>>>>> If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxxxxxx >>>>>>> the words "unsubscribe selinux" without quotes as the message. >>>>>>> >> Everything uses libselinux to find the paths to policy. So if you >> wanted to change the location of where SELinux stores the policy you >> would need to modify libselinux. In the file src/selinux_config.c >> you would modify >> >> $ grep /etc/selinux src/selinux_config.c >> #define SELINUXDIR "/etc/selinux/" >> >> All of the other paths are relative to this. >> >> I do not believe that we have hard coded this path in to any other user >> tools. If we have that is a bug. I don't understand why you would want >> to change this path, and would suggest that you use bind mounts or >> remote mounts if you want these files to be located somewhere else. You >> would also need to maintain the file context if you do this. >>> >> The motivation for having alternative path for selinux policy >> directory _policyname_ in /etc/selinux/_policyname_ is as following: >> 1) I have legacy system that mounts root filesystem including >> /etc/selinux/... in read-only mode; >> 2) also the system mounts a writable filesystem; >> 3) I can not change that behavior (modes of mounting, filesystem >> types, sequence of mounting, number of mount points etc) of legacy >> system for some reason; >> 4) I can freely modify sources -> kernel, selinux-related (under above >> limitations). >> 5) there is a requirement to support modular policy infrastructure in >> that system; > >> To do that I plan to make SELinux subsystem operate on policy-related >> files on different location --> on writable filesystem. > >> Could you please clarify that? > You would also need to maintain the file context if you do this. > >> Tim > > If you want to maintain the SELinux files on say /var/lib/selinux then > all of the file context under /var/lib/selinux needs to match that of > /etc/selinux > > So /var/lib/selinux/targeted needs to be labeled selinux_config_t. > > In Rawhide for example I have the following labeling for /etc/selinux > # grep /etc/selinux /etc/selinux/targeted/contexts/files/file_contexts > /etc/selinux(/.*)? system_u:object_r:selinux_config_t:s0 > /etc/selinux/([^/]*/)?seusers -- system_u:object_r:selinux_config_t:s0 > /etc/selinux/([^/]*/)?users(/.*)? -- system_u:object_r:selinux_config_t:s0 > /etc/selinux/([^/]*/)?policy(/.*)? system_u:object_r:semanage_store_t:s0 > /etc/selinux/([^/]*/)?setrans\.conf -- system_u:object_r:selinux_config_t:s0 > /etc/selinux/([^/]*/)?contexts(/.*)? system_u:object_r:default_context_t:s0 > /etc/selinux/([^/]*/)?contexts/files(/.*)? > system_u:object_r:file_context_t:s0 > /etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- > system_u:object_r:semanage_read_lock_t:s0 > /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- > system_u:object_r:semanage_trans_lock_t:s0 > /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? > system_u:object_r:semanage_store_t:s0 > > > You can setup a matching labels for /var/lib/selinux with the semanage > command. > > # semanage fcontext -a -t selinux_config_t '/var/lib/selinux(/.*)?' > ... > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iEYEARECAAYFAklWIAEACgkQrlYvE4MpobP53gCggdQuj/z501PotHemK6MSYj65 > u8gAnAxklaBSNv6wYmZnQjiB+mleSTdR > =BTBw > -----END PGP SIGNATURE----- > Thank you for clarification. I will try to change suggested libselinux line to point into different location and post the results. Tim -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
