-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tim wrote: > 2008/12/27 Daniel J Walsh <dwalsh@xxxxxxxxxx>: > Tim wrote: >>>> 2008/12/27 Daniel J Walsh <dwalsh@xxxxxxxxxx>: >>>> xing li wrote: >>>>>>> 2008/12/27 xing li <lixing.1006@xxxxxxxxx> >>>>>>> >>>>>>>> It's work was rearly done in the "/sbin/init" until the last step of >>>>>>>> system initialization, while the source >>>>>>>> of "/sbin/init" is included in the sysvinit. and it finally invoked >>>>>>>> "security_load_policy()" to load the binary >>>>>>>> policy "policy.XX" to the kernel structure policydb. >>>>>>>> >>>>>>>> and i have confused by the question: >>>>>>>> when and how the selinux label the all file system according >>>>>>>> to "file_contexts"? >>>>>>>> and i found the clue that when we "touch /.autorelabel",the system would >>>>>>>> invoke >>>>>>>> "fixfiles relabel" to relabel the file system. but i could't find the >>>>>>>> relevant source code. >>>>>>>> Maybt somebody has investigated that and could share infomation? >>>>>>>> >>>>>>>> 2008/12/27 Tim <timasyk@xxxxxxxxx> >>>>>>>> >>>>>>>> OK. I'm trying to trace Linux sources to find exact sequence of >>>>>>>>> function calls for loading SELinux policy into Linux kernel at boot >>>>>>>>> time. And I've lost... to many calls to trace. >>>>>>>>> >>>>>>>>> Maybe somebody has that tracing already and can share information? >>>>>>>>> >>>>>>>>> Tim >>>>>>>>> >>>>>>>>> 2008/12/26 Justin P. Mattock <justinmattock@xxxxxxxxx>: >>>>>>>>> > I think, one of the main jobs >>>>>>>>>> For libselinux is reading the >>>>>>>>>> Policy, from it specefied location >>>>>>>>>> And then mounting the selinuxfs. >>>>>>>>>> Or vise versa mounting selinuxfs, >>>>>>>>>> And then reading the policy. As >>>>>>>>>> For changing the location, not >>>>>>>>>> To sure what the code looks like, >>>>>>>>>> Maybe it's just a few liners to >>>>>>>>>> Do what you wanted. >>>>>>>>>> >>>>>>>>>> justin P. Mattock >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Dec 25, 2008, at 5:36 AM, Tim <timasyk@xxxxxxxxx> wrote: >>>>>>>>>> >>>>>>>>>>> 2008/12/25 Justin P. Mattock <justinmattock@xxxxxxxxx>: >>>>>>>>>>>> Justin P. Mattock wrote: >>>>>>>>>>>>> Paul Howarth wrote: >>>>>>>>>>>>>> Tim wrote: >>>>>>>>>>>>>>> Hello all, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I was wondering, how can I change default location of SELinux >>>>>>>>> policy >>>>>>>>>>>>>>> from /etc/selinux/_policyname_ to some other path? >>>>>>>>>>>>>>> What source codes should be modified for that? >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> The reason to do that are: >>>>>>>>>>>>>>> - I want to work with loadable policy modules --> that requires >>>>>>>>>>>>>>> /etc/selinux/_policyname_ directory to be writable. >>>>>>>>>>>>>>> - limitation of my filesystem having /etc directory (it is >>>>>>>>> read-only >>>>>>>>>>>>>>> filesystem) >>>>>>>>>>>>>>> - unfortunately, I can not mount /etc into some other writable >>>>>>>>>>>>>>> filesystem >>>>>>>>>>>>>> Perhaps you could mount /etc/selinux/_policyname_ rather than /etc >>>>>>>>> from >>>>>>>>>>>>>> a >>>>>>>>>>>>>> writeable filesystem? >>>>>>>>>>>>>> >>>>>>>>>>>>>> Paul. >>>>>>>>>>>>>> cy >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> This message was distributed to subscribers of the selinux mailing >>>>>>>>>>>>>> list. >>>>>>>>>>>>>> If you no longer wish to subscribe, send mail to >>>>>>>>>>>>>> majordomo@xxxxxxxxxxxxx >>>>>>>>>>>>>> with >>>>>>>>>>>>>> the words "unsubscribe selinux" without quotes as the message. >>>>>>>>>>>>>> >>>>>>>>>>>>> This is confusing to me: >>>>>>>>>>>>> it sounds like there not trying to mount >>>>>>>>>>>>> SELinux, but have the policy load >>>>>>>>>>>>> in a different location other than >>>>>>>>>>>>> /etc/selinux/* >>>>>>>>>>>>> >>>>>>>>>>>>> regards; >>>>>>>>>>>>> >>>>>>>>>>>>> Justin P. Mattock >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> On second thought from what it sounds, >>>>>>>>>>>> to have SELinux be read in another location, >>>>>>>>>>>> you would have to locate in >>>>>>>>>>>> libselinux the location from where the library is >>>>>>>>>>>> told to read the the policy, and simple just change the location, >>>>>>>>>>>> but then you might have to change the kernel, all the libraries, >>>>>>>>>>>> all apps, etc.. that read /etc/selinux/* >>>>>>>>>>>> maybe a simple change of /etc/selinux/config >>>>>>>>>>>> seems simpler. rather than going through >>>>>>>>>>>> lines of code. >>>>>>>>>>>> Anyways, >>>>>>>>>>>> "Merry christmas" >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> regards; >>>>>>>>>>>> >>>>>>>>>>>> Justin P. Mattock >>>>>>>>>>> You are right. I would like kernel to read policy just from different >>>>>>>>>>> location. >>>>>>>>>>> >>>>>>>>>>> So options are as folowing: >>>>>>>>>>> 1. Change libselinux sources and sources of all related apps + kernel. >>>>>>>>>>> 2. Try to change /etc/selinux/config. >>>>>>>>>>> >>>>>>>>>>> Regarding second one - manuals on SELinux say that /etc/selinux/config >>>>>>>>>>> contains name of policy to be loaded. And that name _policyname_ is a >>>>>>>>>>> name of directory in /etc/selinux/_policyname_ having subdirectory >>>>>>>>>>> policy with actual policy file. >>>>>>>>>>> >>>>>>>>>>> So, it seems only option #1 is the one to use. >>>>>>>>>>> >>>>>>>>>>> Does kernel use libselinux to read policy or it reads it directly from >>>>>>>>>>> filesystem? >>>>>>>>>>> Any other pitfalls? >>>>>>>>>>> >>>>>>>>>>> Tim >>>>>>>>> -- >>>>>>>>> This message was distributed to subscribers of the selinux mailing list. >>>>>>>>> If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxxxxxx >>>>>>>>> the words "unsubscribe selinux" without quotes as the message. >>>>>>>>> >>>> Everything uses libselinux to find the paths to policy. So if you >>>> wanted to change the location of where SELinux stores the policy you >>>> would need to modify libselinux. In the file src/selinux_config.c >>>> you would modify >>>> >>>> $ grep /etc/selinux src/selinux_config.c >>>> #define SELINUXDIR "/etc/selinux/" >>>> >>>> All of the other paths are relative to this. >>>> >>>> I do not believe that we have hard coded this path in to any other user >>>> tools. If we have that is a bug. I don't understand why you would want >>>> to change this path, and would suggest that you use bind mounts or >>>> remote mounts if you want these files to be located somewhere else. You >>>> would also need to maintain the file context if you do this. >>>> The motivation for having alternative path for selinux policy >>>> directory _policyname_ in /etc/selinux/_policyname_ is as following: >>>> 1) I have legacy system that mounts root filesystem including >>>> /etc/selinux/... in read-only mode; >>>> 2) also the system mounts a writable filesystem; >>>> 3) I can not change that behavior (modes of mounting, filesystem >>>> types, sequence of mounting, number of mount points etc) of legacy >>>> system for some reason; >>>> 4) I can freely modify sources -> kernel, selinux-related (under above >>>> limitations). >>>> 5) there is a requirement to support modular policy infrastructure in >>>> that system; >>>> To do that I plan to make SELinux subsystem operate on policy-related >>>> files on different location --> on writable filesystem. >>>> Could you please clarify that? > You would also need to maintain the file context if you do this. > >>>> Tim > If you want to maintain the SELinux files on say /var/lib/selinux then > all of the file context under /var/lib/selinux needs to match that of > /etc/selinux > > So /var/lib/selinux/targeted needs to be labeled selinux_config_t. > > In Rawhide for example I have the following labeling for /etc/selinux > # grep /etc/selinux /etc/selinux/targeted/contexts/files/file_contexts > /etc/selinux(/.*)? system_u:object_r:selinux_config_t:s0 > /etc/selinux/([^/]*/)?seusers -- system_u:object_r:selinux_config_t:s0 > /etc/selinux/([^/]*/)?users(/.*)? -- system_u:object_r:selinux_config_t:s0 > /etc/selinux/([^/]*/)?policy(/.*)? system_u:object_r:semanage_store_t:s0 > /etc/selinux/([^/]*/)?setrans\.conf -- system_u:object_r:selinux_config_t:s0 > /etc/selinux/([^/]*/)?contexts(/.*)? system_u:object_r:default_context_t:s0 > /etc/selinux/([^/]*/)?contexts/files(/.*)? > system_u:object_r:file_context_t:s0 > /etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- > system_u:object_r:semanage_read_lock_t:s0 > /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- > system_u:object_r:semanage_trans_lock_t:s0 > /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? > system_u:object_r:semanage_store_t:s0 > > > You can setup a matching labels for /var/lib/selinux with the semanage > command. > > # semanage fcontext -a -t selinux_config_t '/var/lib/selinux(/.*)?' > ... > > >> > Thank you for clarification. > I will try to change suggested libselinux line to point into different > location and post the results. > Tim Why not just use a bind mount on a regular mount, and then you do not need to change the library at all? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAklWO4MACgkQrlYvE4MpobPZsACg5YXltDIHUMA7001nNCdLO3C/ jBUAoNwSx/nVhejh+OdSAES9D6wJktao =X1+b -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
