Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp3276788pxu; Tue, 8 Dec 2020 07:59:49 -0800 (PST) X-Google-Smtp-Source: ABdhPJzkPj6Liavb8lYXVJG3TU1ceosCQ+JYOqCkMjVxHc1Tp5Vi/bSIRO96o5KzZRt+yVw6td3k X-Received: by 2002:a17:906:b14a:: with SMTP id bt10mr25598065ejb.458.1607443189201; Tue, 08 Dec 2020 07:59:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1607443189; cv=none; d=google.com; s=arc-20160816; b=qlAE2axbFfGMdkjM1vZgyS9ZJDsz6eMpyt42e1tdXxk3R7JutFHqC1lfxFGmSIxhWn 9P+Xmx5bRm8KsqebSqUpRMSwJp4cyKXWEh+fkh2NlOPKN7NiRKSl7FGWI1cJmXGxWmhU qhTWicEtxEOLPPLIDKEF7BZJG/hbXhAhdvK9OpldT4lcnl+KXdYbT8Hmk3x2WUgTGQD5 +Z7LpVyM9s/udQTkiklZMlidZaOAMnhfkUZBJHUzgaBQRfG11DhwxbkDWJu5ACuYiVqa jK+dR3VO3DPXWF76dhmqk4g24K8XsD4oMYAZgHuKx3A7bV5EFJII1QFYO/GvFPzxQ/KU ibYQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=i03SCAvfIes/D4twDSvSzLn7TvYUED+fInKJzyEmH88=; b=XgmKlYmQ9VWCyPnR+RFjuOnOGf22AkOouuk/YhrHf2Kc1/SNI8AQK2l3C3VAhP04WQ MGtbx0hBWmXeG48L0QYC6TOKjl89q92DXxicAclc5SBH09XfP2J598wYmR5NXvT1R4PA ru3zmV2ll2+OjOPczkcx9OCnyP7zpeq15q9nL6k/qRInRBposIFhkcTaoNFd1GB5ZjwS DW0lbQ6aigdhYU67hV41e2NJLQtcv5Rx8AkYOvq5itE0KCUc0SrItibZ9RlLnvNX+F2Z 3KFOQmy0kfZZxBs1uZ3NooVWRF5hotv6Ab/QU3UDpYprt1rLu/EE9BJmha0nPuY1QQ2P PWXQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@mvista-com.20150623.gappssmtp.com header.s=20150623 header.b=jOJHdgL5; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s28si9834645edc.569.2020.12.08.07.59.43; Tue, 08 Dec 2020 07:59:49 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@mvista-com.20150623.gappssmtp.com header.s=20150623 header.b=jOJHdgL5; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730066AbgLHP67 (ORCPT + 16 others); Tue, 8 Dec 2020 10:58:59 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51394 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729948AbgLHP67 (ORCPT ); Tue, 8 Dec 2020 10:58:59 -0500 Received: from mail-wr1-x435.google.com (mail-wr1-x435.google.com [IPv6:2a00:1450:4864:20::435]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C4D79C061749 for ; Tue, 8 Dec 2020 07:58:18 -0800 (PST) Received: by mail-wr1-x435.google.com with SMTP id x6so12817591wro.11 for ; Tue, 08 Dec 2020 07:58:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=i03SCAvfIes/D4twDSvSzLn7TvYUED+fInKJzyEmH88=; b=jOJHdgL5RGsSqZ/0kiOypzGdy39i4y6F3agRIID00TsZdhtKN7zIWmru+vH6VglNkl y0v3DjH7L0Or4viIn4UXL8KMUJTAMLff2Q6b5rTbMvz2Ds48SkKKb5IJ38hKgzCOcUXx NElN4XftNqqsxi1QUtDdfWIcxUaOY47DKynO0GXfHodrfBpfryxo11W35H5rBWNGhQOh v4An3rsfZmVHInOG0JQ+pUbzCSiBaQ5zOESsvwjyGQ9ks6ut9iER4No4n07JhVzbCy7N 3DiXruTECAt4yihRJLKUBtODdexO/N40g6nJ67GEP8tiBTPjUmvK3QxUAussKxPKJPS0 o8rQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=i03SCAvfIes/D4twDSvSzLn7TvYUED+fInKJzyEmH88=; b=cov8ho2q3RWhKS9ulHyHxlxyl6Y4ngl+mpkfQW5AP8Do3EeQMJ3WxSlhGc7GfrROSe bOi0utsSCaknHpuUh2bAYrKvt1DXxnghVE2rkicU0iq0wy4JPh5apVYhkhevpWykbvFO ICG8Xch3DiDKVTJc6zQKySlMZ/KUJKhY7RudreJTv+P1yzgVX6NzhzrNNfs0RRWGYrB2 9krT8zclOwEEP89rto/yGcrlE9xD4WUV9CfsOFhdhPDAGh/GXg3BW5RP202Kn/wUxq50 k9M8ZA4kNQuJxu4mqSCzaWEucr2HQ61lVLizNJ/0cXPpSInZSmI6FBlGEx39vGym1iHD uZ/A== X-Gm-Message-State: AOAM531IwuNOY3nzMQPRVJxxfC4NeQORblu8pgfX92AC6uiiB16t6DPF J0zPZqBKn7tGPA8j9yHS9sBsOWxQL7Ik+D6nY5PHmq7Nhc8brg== X-Received: by 2002:adf:df08:: with SMTP id y8mr9117581wrl.278.1607443097410; Tue, 08 Dec 2020 07:58:17 -0800 (PST) MIME-Version: 1.0 References: <858c9383f7c75e1e39bafaeab6388cd6af902c4f.camel@btinternet.com> <0b58a502b5036e8b92b274068fbea53ca915992e.camel@btinternet.com> <2806a33b-87ad-61b1-9143-5a24d770a180@ieee.org> In-Reply-To: <2806a33b-87ad-61b1-9143-5a24d770a180@ieee.org> From: Ashish Mishra Date: Tue, 8 Dec 2020 21:28:06 +0530 Message-ID: Subject: Re: How is policy.31 created from modules under /usr/share/selinux To: Chris PeBenito Cc: Richard Haines , selinux-refpolicy@vger.kernel.org, Paul Moore Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Hi Chris , Continuing on the inputs Richard shared , I was able to zero down to the problem. To recreate , step can be directly tested by command mentioned in step-c a) I am having custom-rootfs under which I am trying to get the refpolicy installed. b) By using make load DESTDIR=/tmp/custom-rootfs , the setup reaches to state where # semodule -s refpolicy -i NAME-OF-MODULE is triggered for every module under /tmp/custom-rootfs/usr/share/selinux/refpolicy ==> This semodule behavior is causing the problem. c) By default semodule install the file under /etc/selinux of HOST system rather than /tmp/custom-rootfs/etc/selinux This behaviour can be recreated / verified by : # semodule -s selinux-store-name -i sample.pp This instruction creates an entry of selinux-store-name and creates policy.32 file there . ==> Instead , here i wanted the file to be created under /tmp/custom-rootfs/etc/selinux & not /etc/selinux d) Currently trying to look at the file from where this instruction is executed & then check if somehow semodule can be made to use /tmp/custom-rootfs/etc/selinux over default /etc/selinux Thanks for sharing the info w.r.t your use case , will look at them . They can help me to understand the process in a better way. Please feel free to revert if any further details are required or if i am missing any aspect . Thanks , Ashish On Tue, Dec 8, 2020 at 9:06 PM Chris PeBenito wrote: > > (SELinux main mail list to BCC since this is a refpolicy question.) > > On 12/7/20 8:26 AM, Ashish Mishra wrote: > > 4) Further debugging I can confirm that the final binary (policy.31) > > seems to be > > using HARD-CODDED location of /etc/selinux instead of what is > > being passed as DESTDIR. > > The policy.31 is created not at custom-embedded-rootfs location. > > > > Due to this : > > - policy.31 is created in /etc/selinux/refpolicy/policy/policy.31 > > instead of what i was expecting at > > /tmp/custom-embedded-rootfs/etc/selinux/refpolicy/policy/policy.31 > > as DESTDIR=${ROOT} and i do get *.pp at the expected > > location of /tmp/custom-embedded-rootfs/etc/selinux/refpolicy/src/policy > > ${MAKE} -C ${ROOT}/etc/selinux/${PKG}/src/policy load > > DESTDIR=${ROOT} > > > I can't reproduce your issue. I use monolithic policy regularly in the way > you're using it. > > Here's the Makefile variables: > > From Makefile: > topdir := $(DESTDIR)/etc/selinux > installdir := $(topdir)/$(strip $(NAME)) > policypath := $(installdir)/policy > > From Rules.monolithic: > loadpath = $(policypath)/$(notdir $(polver)) > > $(notdir $(polver)) is "policy.31" and NAME is what you have in build.conf, e.g. > "refopolicy". > > > Then the install target for monolithic looks like this (with "echo"s removed): > > $(loadpath): $(policy_conf) > @$(INSTALL) -d -m 0755 $(@D) > $(verbose) $(CHECKPOLICY) -U $(UNK_PERMS) $^ -o $@ > > -- > Chris PeBenito