Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp4050217pxu; Wed, 9 Dec 2020 07:13:36 -0800 (PST) X-Google-Smtp-Source: ABdhPJyNnUAwrfCDCADggEsgOEXMxDP7PWGMkK/SyqhzuWvkDtDTJ0p3rxnx6UsrIdhJ2N5yhON5 X-Received: by 2002:a17:906:c087:: with SMTP id f7mr2477143ejz.492.1607526815898; Wed, 09 Dec 2020 07:13:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1607526815; cv=none; d=google.com; s=arc-20160816; b=ZUcCDKfVdvyg4RQI/EAR3JG76Yt5DeohuwtuW9E+NWP9c6xDrL6ONJkpmvGmoEqORk DVNrSAzV+sDhTWKfbhx2uCNlSVGAr/4zsxVNT5jsoz9oePMvYs76JhPA8aHHjRUOAf+2 U5C2xyYPlGBAhCCaPTZCoMQCRGtzli0kXLBFsaBpzyZDG96bn1K6/dx+T7JWEbuMZp39 3XJr253fUIA7XQpAvOr5VI7ogonTxCRKq0Xsf94C4BjGxEXzCV/GHaPgZ845uqbLoZAb M9NI2MwAVsxQCdIucSg4wXWg+/62qlQdZtV5aB4bLMHPUmwVEDvERUahVjN3G96NzvYD EAeQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=sPED/BmlEJRV7ESiyYa87gdBhsqWKrIEYIfe6OR24h4=; b=rZRG1kx75bSKtinCb01g/zfTFnklQQVvjoBwHliA3KgM/Qfrzqz7zxwzPcihqlsMyN wFsQMPNXGhk4X1TK6n+44RAqWKfaCGkUAqkEV8QgZo5PUu78GJA/08gG3vthvlbILbMt 76+jbWKia1YdAHL/b5Luy9+Rl4dLDTCEL7D5P/EpGHRsN+sAHUmj+PcMetWBZWe5gpsu 5IRbWpTDeCYzU3LMwe21dpyOXtSx2nLcJAOtCi0dFKCHyVVHZd0UlKDE5fD7ZieBafdC CBiEqJjGIN2jkm9r4/jtiNgD+vw15Nt9jyTwVZCVZ9pN5pKJergf4O2rz7f254+R8i7J sAjw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@mvista-com.20150623.gappssmtp.com header.s=20150623 header.b=ZlbHwZGO; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l19si968183edq.537.2020.12.09.07.13.23; Wed, 09 Dec 2020 07:13:35 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@mvista-com.20150623.gappssmtp.com header.s=20150623 header.b=ZlbHwZGO; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726354AbgLIOM4 (ORCPT + 16 others); Wed, 9 Dec 2020 09:12:56 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33886 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727090AbgLIOMy (ORCPT ); Wed, 9 Dec 2020 09:12:54 -0500 Received: from mail-wm1-x336.google.com (mail-wm1-x336.google.com [IPv6:2a00:1450:4864:20::336]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6ED7DC061793 for ; Wed, 9 Dec 2020 06:12:14 -0800 (PST) Received: by mail-wm1-x336.google.com with SMTP id g185so1816751wmf.3 for ; Wed, 09 Dec 2020 06:12:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mvista-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=sPED/BmlEJRV7ESiyYa87gdBhsqWKrIEYIfe6OR24h4=; b=ZlbHwZGOBj2dQNdJ8wJlRYD1g1zVs5HNr7FDQgC8LFgQkkE0wppUPESDtmzeg/HJ2v PJX74cTa9ZTQ3Lpf+MOkLTNwh7E/6yVbA+qZSzM+ZJgchCSiGt2HVCn3xG4+u7dOY6uf p8+9eVaEf1jt99KXlcdtdwpnaNcfPVzG6mzcT1iJLC4VrEhIwQwTVVSgD7b30nxz/clv X8dttnYH4TsBpKa/TAK5xAaaCKcLUUskTzxuwjqMGx6pUMExsBt8au5xxx3tGf9seWjG Zs8ca8NbVDG5R64mV7DApj/oSTj/UrTwHvCllOI1Yb8+mh26xQqT30rAhW02HLoLfADg ADvw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=sPED/BmlEJRV7ESiyYa87gdBhsqWKrIEYIfe6OR24h4=; b=JkS9bAbu+OUoFdI1lgD57ESxtVbUNSyQNzA+RYY+e5nQUZyPLpT1SfPEabhBIzlXC0 XyevsnfePcYe1A2kg6o5wwgGJeXTeKxNcGBNBOMdfaM1Rx2SIu+6BkihnCUbpICbTuaA bwo7OZYo3gZTSmWzv3moZpLwv+KJ3TQGQFPOgb5us2Wd8u3A1rvDYUdwIQCvI8/aQTSr iCf4kmcKjnKV7LsT9m7GaEZf4M0RQ0dzofuC08WbH/3rbwUJt5Nxx1BoY2U7ljMB2Fu9 pEkJ+u9ylsKoyVxLON2oYwhgUIxmHJMsIn/ErRSPbJUxZctGVBLzc5oeu8Z6DnThgOGi aktA== X-Gm-Message-State: AOAM533Swn2Pr1FokCgksFFmMBB9NXZ4MZln1UFZvL024SIoajuN1pjJ njfgyO4ycjRh4KRBQ2ruF2kkDtMxu49nemMXS/Vl3w== X-Received: by 2002:a1c:e342:: with SMTP id a63mr3097286wmh.64.1607523133095; Wed, 09 Dec 2020 06:12:13 -0800 (PST) MIME-Version: 1.0 References: <858c9383f7c75e1e39bafaeab6388cd6af902c4f.camel@btinternet.com> <0b58a502b5036e8b92b274068fbea53ca915992e.camel@btinternet.com> <2806a33b-87ad-61b1-9143-5a24d770a180@ieee.org> <1b218c6ab1380164cd6c1c774fa4cd3db6d8eb8c.camel@btinternet.com> In-Reply-To: <1b218c6ab1380164cd6c1c774fa4cd3db6d8eb8c.camel@btinternet.com> From: Ashish Mishra Date: Wed, 9 Dec 2020 19:42:01 +0530 Message-ID: Subject: Re: How is policy.31 created from modules under /usr/share/selinux To: Richard Haines Cc: Chris PeBenito , selinux-refpolicy@vger.kernel.org, Paul Moore Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Hi Richard , Will check with the monolithic policy to check the behavior of the semodule as you suggested. Is there any similar approach / workaround for modular one? Thanks for pointers again. Ashish On Wed, Dec 9, 2020 at 3:23 PM Richard Haines wrote: > > On Tue, 2020-12-08 at 21:28 +0530, Ashish Mishra wrote: > > Hi Chris , > > > > Continuing on the inputs Richard shared , I was able to zero down to > > the problem. > > To recreate , step can be directly tested by command mentioned in > > step-c > > > > a) I am having custom-rootfs under which I am trying to get the > > refpolicy installed. > > > > b) By using make load DESTDIR=/tmp/custom-rootfs , the setup reaches > > to state where > > # semodule -s refpolicy -i NAME-OF-MODULE is triggered for every > > module under /tmp/custom-rootfs/usr/share/selinux/refpolicy > > ==> This semodule behavior is causing the problem. > > > > c) By default semodule install the file under /etc/selinux of HOST > > system rather than /tmp/custom-rootfs/etc/selinux > > This behaviour can be recreated / verified by : > > # semodule -s selinux-store-name -i sample.pp > > This instruction creates an entry of selinux-store-name and > > creates policy.32 file there . > > ==> Instead , here i wanted the file to be created under > > /tmp/custom-rootfs/etc/selinux & not /etc/selinux > > > > d) Currently trying to look at the file from where this instruction > > is > > executed & then check if > > somehow semodule can be made to use /tmp/custom- > > rootfs/etc/selinux > > over default /etc/selinux > > > > Thanks for sharing the info w.r.t your use case , will look at them . > > They can help me to understand the process in a better way. > > > > Please feel free to revert if any further details are required or if > > i > > am missing any aspect . > > I've been AWOL for a few days so just picking up on this query. I can > now see the problem as described. If you generate a monolithic policy > (MONOLITHIC=y) using sequence below it all works. However if you build > a modular policy (MONOLITHIC=n), then semodule will install the final > binary policy in /etc/selinux/refpolicy/policy regardless of DESTDIR. > > I guess semodule should obey orders?? > > export DESTDIR=/tmp/custom-embedded-rootfs > mkdir refpol > cd refpol > git clone https://github.com/SELinuxProject/refpolicy.git > Edit build.conf file to requirements (e.g. NAME = refpolicy etc.) > make install-src > cd /tmp/custom-embedded-rootfs/etc/selinux/refpolicy/src/policy > make conf > make load > > > > > > > > Thanks , > > Ashish > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Tue, Dec 8, 2020 at 9:06 PM Chris PeBenito > > wrote: > > > > > > (SELinux main mail list to BCC since this is a refpolicy question.) > > > > > > On 12/7/20 8:26 AM, Ashish Mishra wrote: > > > > 4) Further debugging I can confirm that the final binary > > > > (policy.31) > > > > seems to be > > > > using HARD-CODDED location of /etc/selinux instead of what > > > > is > > > > being passed as DESTDIR. > > > > The policy.31 is created not at custom-embedded-rootfs > > > > location. > > > > > > > > Due to this : > > > > - policy.31 is created in > > > > /etc/selinux/refpolicy/policy/policy.31 > > > > instead of what i was expecting at > > > > /tmp/custom-embedded- > > > > rootfs/etc/selinux/refpolicy/policy/policy.31 > > > > as DESTDIR=${ROOT} and i do get *.pp at the expected > > > > location of /tmp/custom-embedded- > > > > rootfs/etc/selinux/refpolicy/src/policy > > > > ${MAKE} -C > > > > ${ROOT}/etc/selinux/${PKG}/src/policy load > > > > DESTDIR=${ROOT} > > > > > > > > > I can't reproduce your issue. I use monolithic policy regularly in > > > the way > > > you're using it. > > > > > > Here's the Makefile variables: > > > > > > From Makefile: > > > topdir := $(DESTDIR)/etc/selinux > > > installdir := $(topdir)/$(strip $(NAME)) > > > policypath := $(installdir)/policy > > > > > > From Rules.monolithic: > > > loadpath = $(policypath)/$(notdir $(polver)) > > > > > > $(notdir $(polver)) is "policy.31" and NAME is what you have in > > > build.conf, e.g. > > > "refopolicy". > > > > > > > > > Then the install target for monolithic looks like this (with > > > "echo"s removed): > > > > > > $(loadpath): $(policy_conf) > > > @$(INSTALL) -d -m 0755 $(@D) > > > $(verbose) $(CHECKPOLICY) -U $(UNK_PERMS) $^ -o $@ > > > > > > -- > > > Chris PeBenito > >