Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp3264489pxu; Tue, 8 Dec 2020 07:39:59 -0800 (PST) X-Google-Smtp-Source: ABdhPJyPmy6Hd9Vbrya+Cvf6TykhKf3VC6+y7+zmLAkStuTw/I/h0RryNLoJlDMqSoQz8tzRNDvU X-Received: by 2002:a17:907:214d:: with SMTP id rk13mr24176368ejb.501.1607441999543; Tue, 08 Dec 2020 07:39:59 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1607441999; cv=none; d=google.com; s=arc-20160816; b=b0h69wvfNFsFtwf+4I/MF/bXfJkZRgLkpnKd8ZpKQVO7Ijr3cyQzA7Yn6hONj+5rK1 xfzHgJeLhk0AN5CXZ9VHrKQQ8KnRC+OKDDcSmVTlBc0KB4u87mzeq6AJwHC4iQ39QoJ3 qxfOE6bmdtHKK4pNkdRfbuwS7KA3miq1efrCqB/qo/4Tcwa/5tyvA+cprAlNnu05Z/hA e0dUF+Klyll9lmkjlImxbvy31TQaNy9oVdvfL1pAXoALPCu7Bm0iDzITPm8nIvBm2ZOb 8l9FezOznuU1kWBEGug7KU8/UCH8r0Jtl74O4KNWURtj2Wokijfo/8bvu9eALAnCvy8o o9qA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:dkim-signature; bh=d1l06EzuXi1Z/ejrQbyaJmmkIf7TrkQv6PGe4mdpQIM=; b=FsTysEsc9PTZT3mtpdxfRf6evrTXPvhb78DhOciV7ZbbofokODT25F1lw2Vs9crgCK bNUAfs1pDzKnJyY783uP6M1EXdm4f1Xyy1W5eOAGvtY7LCc2A0tEqSpkYIw9nZam/X+j pIPfidEJwaik9S1rvsg4Yx17UlmZA28vyZJEDFltaSs8gm/LsoncQ+yuE8TdusgjjE3o D1tdu+7SimDaeRE8CVeSxDHrSUl2bF5uacvFL4Q7zKup1HYr+dORlzpumjrQEibz1c39 TGnaoSISM7QbHZtsjtDx2iAByZHomI12lfKFcHQr76mSrfuPLh4RIxpA1hP4pNo0AWmx X2qQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=KJ3Vui96; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id e18si8698410ejq.261.2020.12.08.07.39.53; Tue, 08 Dec 2020 07:39:59 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=KJ3Vui96; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730095AbgLHPh0 (ORCPT + 16 others); Tue, 8 Dec 2020 10:37:26 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48026 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730148AbgLHPh0 (ORCPT ); Tue, 8 Dec 2020 10:37:26 -0500 Received: from mail-qt1-x831.google.com (mail-qt1-x831.google.com [IPv6:2607:f8b0:4864:20::831]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4FB3DC061749 for ; Tue, 8 Dec 2020 07:36:40 -0800 (PST) Received: by mail-qt1-x831.google.com with SMTP id z20so4226540qtq.3 for ; Tue, 08 Dec 2020 07:36:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=d1l06EzuXi1Z/ejrQbyaJmmkIf7TrkQv6PGe4mdpQIM=; b=KJ3Vui96V3oUtQctr6LZeqjF+gUimkL/U8WIDxixUrpEOo968ShOSKeFeQ/mHHV7aO LktihjF2peiw+69zTG0GTYreuw1SpUweSowo6IjeM4lvCjVfKEGFAtDW2zjio0di+9KE /4PvT+uX9c4if0zKYKiajq+J80dN26eH4qaCQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=d1l06EzuXi1Z/ejrQbyaJmmkIf7TrkQv6PGe4mdpQIM=; b=HoHOcI1vLQQ5MbxtOHzjyREP9ObLO3pxW4c5W5hiftF25JGzwcwN0+enF5xHtniazb d2Tn/UgvtIrupWy4IRYiajZeHUnFs18jM0Gu1gLGEPSy+I4eqo5UejMZ5c0+2N4+zG/m dARQW3P1Eqc194T6oLKuDTGIjlSF+6Yz32NiAqwrAyAvoQfYZU3UWx2x5bwCnf9q35Mn PtNqM8A2Ra2SkeEy8ZUzfus+/Q3Hb2yMIeWsexpPwg4K+syzh3h3Ms32Zt3LH9zj1xEX HM44uQaTJNiN1C3F71pNmMxMUVsYnrsfZsWoG09BNRx76zBpcbn14lsv6ERgBdnJbOHn wDOg== X-Gm-Message-State: AOAM5333bF/148e9HT1u4Ml6L0VAHcgAtl41GwolnU+Hr9AIpcKrbZ49 UVyd6QGJ5vpDJQ8PfbENrfrW0g== X-Received: by 2002:ac8:877:: with SMTP id x52mr31217761qth.334.1607441799475; Tue, 08 Dec 2020 07:36:39 -0800 (PST) Received: from fedora.pebenito.net (pool-96-234-173-17.bltmmd.fios.verizon.net. [96.234.173.17]) by smtp.gmail.com with ESMTPSA id y22sm4772822qkj.129.2020.12.08.07.36.38 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 08 Dec 2020 07:36:38 -0800 (PST) Subject: Re: How is policy.31 created from modules under /usr/share/selinux To: Ashish Mishra , Richard Haines Cc: selinux-refpolicy@vger.kernel.org, Paul Moore References: <858c9383f7c75e1e39bafaeab6388cd6af902c4f.camel@btinternet.com> <0b58a502b5036e8b92b274068fbea53ca915992e.camel@btinternet.com> From: Chris PeBenito Message-ID: <2806a33b-87ad-61b1-9143-5a24d770a180@ieee.org> Date: Tue, 8 Dec 2020 10:36:37 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org (SELinux main mail list to BCC since this is a refpolicy question.) On 12/7/20 8:26 AM, Ashish Mishra wrote: > 4) Further debugging I can confirm that the final binary (policy.31) > seems to be > using HARD-CODDED location of /etc/selinux instead of what is > being passed as DESTDIR. > The policy.31 is created not at custom-embedded-rootfs location. > > Due to this : > - policy.31 is created in /etc/selinux/refpolicy/policy/policy.31 > instead of what i was expecting at > /tmp/custom-embedded-rootfs/etc/selinux/refpolicy/policy/policy.31 > as DESTDIR=${ROOT} and i do get *.pp at the expected > location of /tmp/custom-embedded-rootfs/etc/selinux/refpolicy/src/policy > ${MAKE} -C ${ROOT}/etc/selinux/${PKG}/src/policy load > DESTDIR=${ROOT} I can't reproduce your issue. I use monolithic policy regularly in the way you're using it. Here's the Makefile variables: From Makefile: topdir := $(DESTDIR)/etc/selinux installdir := $(topdir)/$(strip $(NAME)) policypath := $(installdir)/policy From Rules.monolithic: loadpath = $(policypath)/$(notdir $(polver)) $(notdir $(polver)) is "policy.31" and NAME is what you have in build.conf, e.g. "refopolicy". Then the install target for monolithic looks like this (with "echo"s removed): $(loadpath): $(policy_conf) @$(INSTALL) -d -m 0755 $(@D) $(verbose) $(CHECKPOLICY) -U $(UNK_PERMS) $^ -o $@ -- Chris PeBenito