2008/12/28 Tom London <selinux@xxxxxxxxx>: > On Sat, Dec 27, 2008 at 5:07 PM, Tim <timasyk@xxxxxxxxx> wrote: >> 2008/12/28 Tim <timasyk@xxxxxxxxx>: >>> 2008/12/27 Daniel J Walsh <dwalsh@xxxxxxxxxx>: >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA1 >>>> >>>> Tim wrote: >>>>> 2008/12/27 Daniel J Walsh <dwalsh@xxxxxxxxxx>: >>>>> Tim wrote: >>>>>>>> 2008/12/27 Daniel J Walsh <dwalsh@xxxxxxxxxx>: >>>>>>>> xing li wrote: >>>>>>>>>>> 2008/12/27 xing li <lixing.1006@xxxxxxxxx> >>>>>>>>>>> >>>>>>>>>>>> It's work was rearly done in the "/sbin/init" until the last step of >>>>>>>>>>>> system initialization, while the source >>>>>>>>>>>> of "/sbin/init" is included in the sysvinit. and it finally invoked >>>>>>>>>>>> "security_load_policy()" to load the binary >>>>>>>>>>>> policy "policy.XX" to the kernel structure policydb. >>>>>>>>>>>> >>>>>>>>>>>> and i have confused by the question: >>>>>>>>>>>> when and how the selinux label the all file system according >>>>>>>>>>>> to "file_contexts"? >>>>>>>>>>>> and i found the clue that when we "touch /.autorelabel",the system would >>>>>>>>>>>> invoke >>>>>>>>>>>> "fixfiles relabel" to relabel the file system. but i could't find the >>>>>>>>>>>> relevant source code. >>>>>>>>>>>> Maybt somebody has investigated that and could share infomation? >>>>>>>>>>>> >>>>>>>>>>>> 2008/12/27 Tim <timasyk@xxxxxxxxx> >>>>>>>>>>>> >>>>>>>>>>>> OK. I'm trying to trace Linux sources to find exact sequence of >>>>>>>>>>>>> function calls for loading SELinux policy into Linux kernel at boot >>>>>>>>>>>>> time. And I've lost... to many calls to trace. >>>>>>>>>>>>> >>>>>>>>>>>>> Maybe somebody has that tracing already and can share information? >>>>>>>>>>>>> >>>>>>>>>>>>> Tim >>>>>>>>>>>>> >>>>>>>>>>>>> 2008/12/26 Justin P. Mattock <justinmattock@xxxxxxxxx>: >>>>>>>>>>>>> > I think, one of the main jobs >>>>>>>>>>>>>> For libselinux is reading the >>>>>>>>>>>>>> Policy, from it specefied location >>>>>>>>>>>>>> And then mounting the selinuxfs. >>>>>>>>>>>>>> Or vise versa mounting selinuxfs, >>>>>>>>>>>>>> And then reading the policy. As >>>>>>>>>>>>>> For changing the location, not >>>>>>>>>>>>>> To sure what the code looks like, >>>>>>>>>>>>>> Maybe it's just a few liners to >>>>>>>>>>>>>> Do what you wanted. >>>>>>>>>>>>>> >>>>>>>>>>>>>> justin P. Mattock >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Dec 25, 2008, at 5:36 AM, Tim <timasyk@xxxxxxxxx> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> 2008/12/25 Justin P. Mattock <justinmattock@xxxxxxxxx>: >>>>>>>>>>>>>>>> Justin P. Mattock wrote: >>>>>>>>>>>>>>>>> Paul Howarth wrote: >>>>>>>>>>>>>>>>>> Tim wrote: >>>>>>>>>>>>>>>>>>> Hello all, >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> I was wondering, how can I change default location of SELinux >>>>>>>>>>>>> policy >>>>>>>>>>>>>>>>>>> from /etc/selinux/_policyname_ to some other path? >>>>>>>>>>>>>>>>>>> What source codes should be modified for that? >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> The reason to do that are: >>>>>>>>>>>>>>>>>>> - I want to work with loadable policy modules --> that requires >>>>>>>>>>>>>>>>>>> /etc/selinux/_policyname_ directory to be writable. >>>>>>>>>>>>>>>>>>> - limitation of my filesystem having /etc directory (it is >>>>>>>>>>>>> read-only >>>>>>>>>>>>>>>>>>> filesystem) >>>>>>>>>>>>>>>>>>> - unfortunately, I can not mount /etc into some other writable >>>>>>>>>>>>>>>>>>> filesystem >>>>>>>>>>>>>>>>>> Perhaps you could mount /etc/selinux/_policyname_ rather than /etc >>>>>>>>>>>>> from >>>>>>>>>>>>>>>>>> a >>>>>>>>>>>>>>>>>> writeable filesystem? >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Paul. >>>>>>>>>>>>>>>>>> cy >>>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>>> This message was distributed to subscribers of the selinux mailing >>>>>>>>>>>>>>>>>> list. >>>>>>>>>>>>>>>>>> If you no longer wish to subscribe, send mail to >>>>>>>>>>>>>>>>>> majordomo@xxxxxxxxxxxxx >>>>>>>>>>>>>>>>>> with >>>>>>>>>>>>>>>>>> the words "unsubscribe selinux" without quotes as the message. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> This is confusing to me: >>>>>>>>>>>>>>>>> it sounds like there not trying to mount >>>>>>>>>>>>>>>>> SELinux, but have the policy load >>>>>>>>>>>>>>>>> in a different location other than >>>>>>>>>>>>>>>>> /etc/selinux/* >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> regards; >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Justin P. Mattock >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On second thought from what it sounds, >>>>>>>>>>>>>>>> to have SELinux be read in another location, >>>>>>>>>>>>>>>> you would have to locate in >>>>>>>>>>>>>>>> libselinux the location from where the library is >>>>>>>>>>>>>>>> told to read the the policy, and simple just change the location, >>>>>>>>>>>>>>>> but then you might have to change the kernel, all the libraries, >>>>>>>>>>>>>>>> all apps, etc.. that read /etc/selinux/* >>>>>>>>>>>>>>>> maybe a simple change of /etc/selinux/config >>>>>>>>>>>>>>>> seems simpler. rather than going through >>>>>>>>>>>>>>>> lines of code. >>>>>>>>>>>>>>>> Anyways, >>>>>>>>>>>>>>>> "Merry christmas" >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> regards; >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Justin P. Mattock >>>>>>>>>>>>>>> You are right. I would like kernel to read policy just from different >>>>>>>>>>>>>>> location. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> So options are as folowing: >>>>>>>>>>>>>>> 1. Change libselinux sources and sources of all related apps + kernel. >>>>>>>>>>>>>>> 2. Try to change /etc/selinux/config. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Regarding second one - manuals on SELinux say that /etc/selinux/config >>>>>>>>>>>>>>> contains name of policy to be loaded. And that name _policyname_ is a >>>>>>>>>>>>>>> name of directory in /etc/selinux/_policyname_ having subdirectory >>>>>>>>>>>>>>> policy with actual policy file. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> So, it seems only option #1 is the one to use. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Does kernel use libselinux to read policy or it reads it directly from >>>>>>>>>>>>>>> filesystem? >>>>>>>>>>>>>>> Any other pitfalls? >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Tim >>>>>>>>>>>>> -- >>>>>>>>>>>>> This message was distributed to subscribers of the selinux mailing list. >>>>>>>>>>>>> If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxxxxxx >>>>>>>>>>>>> the words "unsubscribe selinux" without quotes as the message. >>>>>>>>>>>>> >>>>>>>> Everything uses libselinux to find the paths to policy. So if you >>>>>>>> wanted to change the location of where SELinux stores the policy you >>>>>>>> would need to modify libselinux. In the file src/selinux_config.c >>>>>>>> you would modify >>>>>>>> >>>>>>>> $ grep /etc/selinux src/selinux_config.c >>>>>>>> #define SELINUXDIR "/etc/selinux/" >>>>>>>> >>>>>>>> All of the other paths are relative to this. >>>>>>>> >>>>>>>> I do not believe that we have hard coded this path in to any other user >>>>>>>> tools. If we have that is a bug. I don't understand why you would want >>>>>>>> to change this path, and would suggest that you use bind mounts or >>>>>>>> remote mounts if you want these files to be located somewhere else. You >>>>>>>> would also need to maintain the file context if you do this. >>>>>>>> The motivation for having alternative path for selinux policy >>>>>>>> directory _policyname_ in /etc/selinux/_policyname_ is as following: >>>>>>>> 1) I have legacy system that mounts root filesystem including >>>>>>>> /etc/selinux/... in read-only mode; >>>>>>>> 2) also the system mounts a writable filesystem; >>>>>>>> 3) I can not change that behavior (modes of mounting, filesystem >>>>>>>> types, sequence of mounting, number of mount points etc) of legacy >>>>>>>> system for some reason; >>>>>>>> 4) I can freely modify sources -> kernel, selinux-related (under above >>>>>>>> limitations). >>>>>>>> 5) there is a requirement to support modular policy infrastructure in >>>>>>>> that system; >>>>>>>> To do that I plan to make SELinux subsystem operate on policy-related >>>>>>>> files on different location --> on writable filesystem. >>>>>>>> Could you please clarify that? >>>>> You would also need to maintain the file context if you do this. >>>>> >>>>>>>> Tim >>>>> If you want to maintain the SELinux files on say /var/lib/selinux then >>>>> all of the file context under /var/lib/selinux needs to match that of >>>>> /etc/selinux >>>>> >>>>> So /var/lib/selinux/targeted needs to be labeled selinux_config_t. >>>>> >>>>> In Rawhide for example I have the following labeling for /etc/selinux >>>>> # grep /etc/selinux /etc/selinux/targeted/contexts/files/file_contexts >>>>> /etc/selinux(/.*)? system_u:object_r:selinux_config_t:s0 >>>>> /etc/selinux/([^/]*/)?seusers -- system_u:object_r:selinux_config_t:s0 >>>>> /etc/selinux/([^/]*/)?users(/.*)? -- system_u:object_r:selinux_config_t:s0 >>>>> /etc/selinux/([^/]*/)?policy(/.*)? system_u:object_r:semanage_store_t:s0 >>>>> /etc/selinux/([^/]*/)?setrans\.conf -- system_u:object_r:selinux_config_t:s0 >>>>> /etc/selinux/([^/]*/)?contexts(/.*)? system_u:object_r:default_context_t:s0 >>>>> /etc/selinux/([^/]*/)?contexts/files(/.*)? >>>>> system_u:object_r:file_context_t:s0 >>>>> /etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- >>>>> system_u:object_r:semanage_read_lock_t:s0 >>>>> /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- >>>>> system_u:object_r:semanage_trans_lock_t:s0 >>>>> /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? >>>>> system_u:object_r:semanage_store_t:s0 >>>>> >>>>> >>>>> You can setup a matching labels for /var/lib/selinux with the semanage >>>>> command. >>>>> >>>>> # semanage fcontext -a -t selinux_config_t '/var/lib/selinux(/.*)?' >>>>> ... >>>>> >>>>> >>>>>> >>>>> Thank you for clarification. >>>>> I will try to change suggested libselinux line to point into different >>>>> location and post the results. >>>> >>>>> Tim >>>> >>>> Why not just use a bind mount on a regular mount, and then you do not >>>> need to change the library at all? >>>> -----BEGIN PGP SIGNATURE----- >>>> Version: GnuPG v1.4.9 (GNU/Linux) >>>> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org >>>> >>>> iEYEARECAAYFAklWO4MACgkQrlYvE4MpobPZsACg5YXltDIHUMA7001nNCdLO3C/ >>>> jBUAoNwSx/nVhejh+OdSAES9D6wJktao >>>> =X1+b >>>> -----END PGP SIGNATURE----- >>>> >>> Sure, I will try mount --bind before modification of any source. >>> >>> Tim >>> >> Results on mount --bind >> 1) mount --bind /etc/selinnux /opt/mypolicy >> fails since /etc/selinnux is not a device. >> I think the reason is that /etc/selinnux is part of root filesystem, >> not separate filesystem. So mount can not handle it. >> 2) Straight modification of policy path in libselinux to point into >> writable filesystem also did not helped at boot. >> Reason: policy reading is done at very early stage - a way _before_ >> the writable filesystem is mounted. >> >> Any ideas for that? >> >> Tim >> > > "mount --bind" works for me: > > [root@tlondon ~]# mkdir foobar > [root@tlondon ~]# mount --bind /etc/selinux foobar > [root@tlondon ~]# ls -l foobar > total 16 > -rw-r--r-- 1 root root 483 2008-12-27 08:56 config > -rw------- 1 root root 133 2008-12-10 06:22 restorecond.conf > -rw-r--r-- 1 root root 1766 2008-12-04 13:12 semanage.conf > drwxr-xr-x 5 root root 4096 2008-12-27 08:57 targeted > [root@tlondon ~]# > > I notice that you spelled '/etc/selinux' as '/etc/selinnux'. > > That produces the following: > [root@tlondon ~]# mount --bind /etc/selinnux foobar > mount: special device /etc/selinnux does not exist > [root@tlondon ~]# > > Does that help? > > tom > -- > Tom London > Thank you very much, Tom! I've made that typo. After testing it works. However... /etc/selinux is on read-only filesystem in my system. If I will execute: mount --bind /etc/selinux /somefs/writable/place I will get have content of /somefs/writable/place same as for /etc/selinux with read-only permissions. Then... maybe mounting should look like this: mount --bind /somefs/writable/place /etc/selinux Then content of /somefs/writable/place will be accessed with calls to /etc/selinux. So, now the plan is as following: 0) Put all policy-related files into writable filesystem (say, /somefs/writable/place). 1) I have some "default" policy in /etc/selinux on read-only filesystem. Fine, let the system boot with that policy first. 2) In rc.sysinit mount writable filesystem (above /somefs). 3) In rc.sysinit put that line after mounting /somefs: mount --bind /somefs/writable/place /etc/selinux Now the system is running with "default" policy, but /etc/selinux is "mapped" into a place where actual policy is located. So.. 4) In rc.sysinit put a line to reload the policy: load_policy -b Now the system will be loaded with new policy. At least that is theory :) Any ideas on improvement? Tim P.S. there are some hardcoded paths to /etc/selinux in: libsemanage-1.10.9/src/semanage_store.c policycoreutils-1.34.16/restorecond/restorecond.c policycoreutils-1.34.16 - number of script files -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
