Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp4065437pxu; Wed, 9 Dec 2020 07:33:17 -0800 (PST) X-Google-Smtp-Source: ABdhPJxtnNqlBN8u/brUcPiybCepYjGLR00Sl0qAkawXYnuCsTdsNFUNO/YGFp3SBCpogSnwtUL0 X-Received: by 2002:a17:906:b7cc:: with SMTP id fy12mr2582028ejb.44.1607527997286; Wed, 09 Dec 2020 07:33:17 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1607527997; cv=pass; d=google.com; s=arc-20160816; b=rjof1tzq4AyAeV7bTGOIcByKHVSSbTVhPTeiJj5BWI6RqVEHvzFpZtLWx/hvLFfY3+ 2xEbYm8THio7Z28II8zeR3mYYo+MFVHoIykIQqHYGUhrBwC5SUHg5YSuiINF6N91VfwJ QYE7C/8i6oOJI+xs8ZAtulM6OT4mNPysOlY990ax37aPF/MZVp+gjEW3ZIUl4Msok3hY YhL2frF0HWEKbenK6q/rSNqJVYj1ia/SkaRaYI++AP8DwIYMV9dJONp0Xti5iXgYTC2u qu6HIRrQfAyStaJCwoNWn+Md7Q75XKDGAjd3pzAgT7L3hNvfyNNPR8VTqlUX5HdRve16 HIbQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :content-language:in-reply-to:user-agent:date:message-id:from :references:cc:to:subject:dkim-signature; bh=EhzLbzifG04bPXG5X3XOc2hYXbHUlBJ6npTdjK9OGFE=; b=sOjg0ihOqibHitCuvdmNXCXyn2A1dAKZ/+aN4871WMEUuevU8pwXCeSmy/3Hnj5MxU BmTrWmd0NYTVv8gaWSolFYWjS+Zj5b8q/nEcITMJXpifb6Qt7cRQe81fk3FdsD3/Neb4 qYFYaXO6pV4qAz7On+amAjS91kVYdopRg5Juj1BVxMvXIpCls1o8qndN6MabFAl5xsEc CO54xbKmleU3vOy1L2wi9dOp+gGW8gNnVp9WwUqhQEDhhrRzc7HpUAYCyXBsJzKX/l/d GiuXDa4S4/vNdOYqdDB9haXARYhEv5w26GpR5g6CTs4zo9uK9NSg4FHHmxG28MmmWwOm 8kiQ== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@owlcyberdefense.com header.s=selector1 header.b=Ue8lx03+; arc=pass (i=1 spf=pass spfdomain=owlcyberdefense.com dkim=pass dkdomain=owlcyberdefense.com dmarc=pass fromdomain=owlcyberdefense.com); spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id 30si1072033edv.385.2020.12.09.07.33.09; Wed, 09 Dec 2020 07:33:17 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@owlcyberdefense.com header.s=selector1 header.b=Ue8lx03+; arc=pass (i=1 spf=pass spfdomain=owlcyberdefense.com dkim=pass dkdomain=owlcyberdefense.com dmarc=pass fromdomain=owlcyberdefense.com); spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729130AbgLIPIK (ORCPT + 16 others); Wed, 9 Dec 2020 10:08:10 -0500 Received: from mail-bn8nam12on2138.outbound.protection.outlook.com ([40.107.237.138]:52705 "EHLO NAM12-BN8-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726851AbgLIPIK (ORCPT ); Wed, 9 Dec 2020 10:08:10 -0500 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BmvrVJOFVsAu8cVVrZWZOzvCRCUYP1WC+gDRjLxc0bGS3RYTBZp5DLeNuo2I/mJc5lGuUZDTsQb6HCAgCFRoweduEFZklI4Esv5XHOf0Oq9EAIbOmTUdTS1fXdd03qS1Pj9jRIqCwbkgnAjZqU6g5Ow/Dif7XXUYv/b20dCAOmFwAiF1r7c9eFs8O7C5Nlci61pWID075/wrw1GNn6limTYqwfh4RGAJlRWAYB5FnDZIY23s+yAV5T+0sZPSYJDO7JSQSkgSNObpdFstCWnLZ/lg/rYsCj4EbjWlBq54Y08Nxi96NQJWlylNj7EjHEcJYSkmKe166E6sdRw2Ovat/A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EhzLbzifG04bPXG5X3XOc2hYXbHUlBJ6npTdjK9OGFE=; b=Qk4OZ0rVIvj23TGjXsxFVI3bCRc3CHpNyicR2Z572Pxhg3XGJbAQCiqFIWp2OLOgrSSxJjI1kBLupKQYc6/9W9lmB2N4XW8hM87Mjgk37AtiM7kXgsKub/oVY/vcqCckrj9JxXBhrSqZVddPHIS0LdDb1FYN3ZgQaRhTyVtg2b42NYmkjZI1R9iqUxj+7rIJp489F/MoGoCUCtrgJCLYEB+rim9bpqj01c7VwIsPQQEyWFftkb8jtAHdz4uWuRB5IFQDNG9606sGegqahHKwLkWgUJiJkiVe/+UaagT4oulopj4VI4hGHbW55grN1zcCRII+9id0PTozkfSBjp/EQQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=owlcyberdefense.com; dmarc=pass action=none header.from=owlcyberdefense.com; dkim=pass header.d=owlcyberdefense.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=owlcyberdefense.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EhzLbzifG04bPXG5X3XOc2hYXbHUlBJ6npTdjK9OGFE=; b=Ue8lx03+a9NaoLhDTpjvmznwq/6XfZAHyoVOe3H6FRHuqISysNM4r0i7Xp+H1rOi5dejr+XadRk7g6RMaBCiVaBGT3HMOY+/qkDrt4a0Q5boCFJ107g3M2oD2RzME7siAJVWJN4i9mQFKWDZh9Gb6IxuDALEJSzBiUbgHdjofo8= Authentication-Results: paul-moore.com; dkim=none (message not signed) header.d=none;paul-moore.com; dmarc=none action=none header.from=owlcyberdefense.com; Received: from BN8PR15MB3473.namprd15.prod.outlook.com (2603:10b6:408:75::18) by BN6PR15MB1825.namprd15.prod.outlook.com (2603:10b6:405:53::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3654.12; Wed, 9 Dec 2020 15:07:16 +0000 Received: from BN8PR15MB3473.namprd15.prod.outlook.com ([fe80::1163:78e6:84a1:12f1]) by BN8PR15MB3473.namprd15.prod.outlook.com ([fe80::1163:78e6:84a1:12f1%3]) with mapi id 15.20.3632.023; Wed, 9 Dec 2020 15:07:16 +0000 Subject: Re: How is policy.31 created from modules under /usr/share/selinux To: Richard Haines , Ashish Mishra , Chris PeBenito Cc: selinux-refpolicy@vger.kernel.org, Paul Moore References: <858c9383f7c75e1e39bafaeab6388cd6af902c4f.camel@btinternet.com> <0b58a502b5036e8b92b274068fbea53ca915992e.camel@btinternet.com> <2806a33b-87ad-61b1-9143-5a24d770a180@ieee.org> <1b218c6ab1380164cd6c1c774fa4cd3db6d8eb8c.camel@btinternet.com> From: Steve Lawrence Message-ID: <217b4754-6f3b-cf71-b0be-440f8517312a@owlcyberdefense.com> Date: Wed, 9 Dec 2020 10:07:14 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.4.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Originating-IP: [108.51.48.144] X-ClientProxiedBy: MN2PR16CA0029.namprd16.prod.outlook.com (2603:10b6:208:134::42) To BN8PR15MB3473.namprd15.prod.outlook.com (2603:10b6:408:75::18) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from [192.168.0.103] (108.51.48.144) by MN2PR16CA0029.namprd16.prod.outlook.com (2603:10b6:208:134::42) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3654.12 via Frontend Transport; Wed, 9 Dec 2020 15:07:15 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 6caa3410-e9a0-4ccf-7371-08d89c541ddc X-MS-TrafficTypeDiagnostic: BN6PR15MB1825: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:2512; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: DC7Wa8P2ZbQH8fe8U9rCimIpw4yLFB28KcwpG/yp6JT0WL0kGqgwDE/yPIvO8gsGL+jEXxApc2FDr7FxQERf7R2C9aftCk+y+JFj2fvgrH/DjNuW069BJrKAhiTCf1A3P3dQ1uiLnkl/92nD3xL2TxTqigBqpRO1vNYqO+1/Z4SbbjFxp0NbtqQNMWN7qrTmEnSIMZsvHT6TSIsjtoZl3RixTAURO+mSO9fwMV3WdK3TyebgEnYFwIY6NtP9mLbpKc7pkxVsJ49wQH7olf1YvhN8ljCr8OgbEY0BLUHA8BljbQiBxEAPi/jBDu6nvLZL9KusyP/jPED9L6S+QkD2rOPO3JkRl5bK0lAlF4HYwR3zEm7gg/uMJo0mw4Ct+AWgMZvztdBpsNIQaEW5l/hbdps28WffSxTgCP9kfpaQff/bOV6Oy0sKTwxqPzLTmwjd X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN8PR15MB3473.namprd15.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(346002)(136003)(366004)(376002)(5660300002)(2616005)(8676002)(186003)(66946007)(66476007)(2906002)(6486002)(956004)(8936002)(26005)(86362001)(34490700003)(4326008)(31686004)(66556008)(16526019)(31696002)(52116002)(16576012)(36756003)(110136005)(53546011)(508600001)(43740500002)(45980500001);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData: =?Windows-1252?Q?8ajr6vJhGkIaeVPt6KnQrxezij9BuyibQkiqWiW/oaaSrCjwiwnn1Tcc?= =?Windows-1252?Q?kWGF1exFtLV+7/6JZaAkjWRH/wqz+ialm7rrUKMPzHMGLiCtuo3XhSMs?= =?Windows-1252?Q?go7vB5lSvAuME24cwaSqdUC9vnt0CfKnMXDVVS0ipNmv4jHNE5C/CJpd?= =?Windows-1252?Q?MyakA9u3MeJ9So20bNVSH91DsBj7cX+n8V6Q516hlbqCY9u558tCJ5Vj?= =?Windows-1252?Q?0BW0nEedsHkxzSFMVOApNvyKQh/oLmYoMvJZ6Aoq1+ZviLC/+zgGbE3K?= =?Windows-1252?Q?mOT9QOWoA6aaxyyG074tJk4nLqyZFfY8NNJuzRALQHJLMoUQYZPnXEPz?= =?Windows-1252?Q?Dakpj2mxg5wv/dERTsTorLL6KrelYd63uvCqdCoawXkj0VjMpRts9mvw?= =?Windows-1252?Q?OuwxuheRljHvYd2F9wE2nLfvFjAJglOn4bVGoDi2q/eFNyzCcd2t+6Ok?= =?Windows-1252?Q?QizANsu8gnyvJiGNKYgyxDC+jcsH3lqzXA2bVNlwpxos3AQUWGnU7yAb?= =?Windows-1252?Q?b/gqaMpedL5QWLpQa/b+3J+3w+jR4iLjKp/9NI/Fz4JjnnAKKJEbjD4x?= =?Windows-1252?Q?n4kIHFFz0xUXOr3Hrj75CYjZI3Mn42gizfA0Q+QllZJP6AV6fowBa7ng?= =?Windows-1252?Q?seJ1XItkmttldawaDzEsaduvI8uCZgjGcO/pLKSc+COSOakF6MogsYUO?= =?Windows-1252?Q?89KTjw+C3NO+BG0YAIm9R9G9eIvIy/1l5eeG4KMwkuj40Owy/QlDLNTO?= =?Windows-1252?Q?DbifVff4A5IP82/bxXfNc+Wn0Rtjw6en47akFHTtRHwWjJac8rnfEtum?= =?Windows-1252?Q?dfb1IAdfMQ0qvE5opOeHWde6VKf7CVQDx50LVFhfq5lPcmE3eNkDJTMY?= =?Windows-1252?Q?voyVJDrK2/znusVufYoZvDZTJ75w4o24bG6S9YLLiKZUVZ0/u9pmGs5v?= =?Windows-1252?Q?nuO0OtemU0IDJvV/9jF2tRt7CXapvcbmlbJ7T4pMLkIs6ROL9CCHiW6m?= =?Windows-1252?Q?qVmAKt+sEJdKPMVE2FqaA3qphwpy8BL634/ssmVOwOpFY72m8m22CtTp?= =?Windows-1252?Q?8ntNwCxPul6YKjuz?= X-OriginatorOrg: owlcyberdefense.com X-MS-Exchange-CrossTenant-AuthSource: BN8PR15MB3473.namprd15.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Dec 2020 15:07:16.3868 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: a0d45667-6c07-4e88-868f-4ac9af95c7ed X-MS-Exchange-CrossTenant-Network-Message-Id: 6caa3410-e9a0-4ccf-7371-08d89c541ddc X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: OOejjegoWWKoJ8DNgZLavKcSDxmxwUGCBayxclHQUn61q2qUj1S9UuSbQACSCDhvy6OviMR831UG4ItTy+jcCg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR15MB1825 Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 12/9/20 9:37 AM, Richard Haines wrote: > On Wed, 2020-12-09 at 19:42 +0530, Ashish Mishra wrote: >> Hi Richard , >> >> Will check with the monolithic policy to check the behavior of the >> semodule as you suggested. >> >> Is there any similar approach / workaround for modular one? > > I've only had a quick look at code and I could see two ways to fix: > 1) Modify the Rules.modular part of the make file to move or copy the > policy and file contexts set of files over to $DESTDIR. > 2) Modify semodule/semanage to handle $DESTDIR. I think this would be > more difficult to fix as lots go on here. > semodule does accept the -p option to change the root, so we could feed DESTDIR into that. For example, a minimally tested patch: diff --git a/Rules.modular b/Rules.modular index d6224e95..64d953dc 100644 --- a/Rules.modular +++ b/Rules.modular @@ -55,8 +55,8 @@ load: $(instpkg) $(appfiles) # make sure two directories exist since they are not # created by semanage @echo "Loading configured modules." - @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath)) - $(verbose) $(SEMODULE) -s $(NAME) -i $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod)) + @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath)) $(DESTDIR)/var/lib/selinux + $(verbose) $(SEMODULE) -p $(DESTDIR)/ -s $(NAME) -i $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod)) ######################################## # Note that we need to create $(DESTDIR)/var/lib/selinux since semanage expects that to already exist. Though, I would suggest that maybe the "install" target should run the above semodule command with the --noreload option to install all files and build the policy binary but not actually load it into the kernel. Then make load just becomes something like semodule -p $(DESTDIR)/ --reload Makes a clear distinction between installing everything that's needed vs actually loading the policy into the kernel. Happy to create a patch if that approach makes sense.