Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp4065437pxu;
        Wed, 9 Dec 2020 07:33:17 -0800 (PST)
X-Google-Smtp-Source: ABdhPJxtnNqlBN8u/brUcPiybCepYjGLR00Sl0qAkawXYnuCsTdsNFUNO/YGFp3SBCpogSnwtUL0
X-Received: by 2002:a17:906:b7cc:: with SMTP id fy12mr2582028ejb.44.1607527997286;
        Wed, 09 Dec 2020 07:33:17 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1607527997; cv=pass;
        d=google.com; s=arc-20160816;
        b=rjof1tzq4AyAeV7bTGOIcByKHVSSbTVhPTeiJj5BWI6RqVEHvzFpZtLWx/hvLFfY3+
         2xEbYm8THio7Z28II8zeR3mYYo+MFVHoIykIQqHYGUhrBwC5SUHg5YSuiINF6N91VfwJ
         QYE7C/8i6oOJI+xs8ZAtulM6OT4mNPysOlY990ax37aPF/MZVp+gjEW3ZIUl4Msok3hY
         YhL2frF0HWEKbenK6q/rSNqJVYj1ia/SkaRaYI++AP8DwIYMV9dJONp0Xti5iXgYTC2u
         qu6HIRrQfAyStaJCwoNWn+Md7Q75XKDGAjd3pzAgT7L3hNvfyNNPR8VTqlUX5HdRve16
         HIbQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:mime-version:content-transfer-encoding
         :content-language:in-reply-to:user-agent:date:message-id:from
         :references:cc:to:subject:dkim-signature;
        bh=EhzLbzifG04bPXG5X3XOc2hYXbHUlBJ6npTdjK9OGFE=;
        b=sOjg0ihOqibHitCuvdmNXCXyn2A1dAKZ/+aN4871WMEUuevU8pwXCeSmy/3Hnj5MxU
         BmTrWmd0NYTVv8gaWSolFYWjS+Zj5b8q/nEcITMJXpifb6Qt7cRQe81fk3FdsD3/Neb4
         qYFYaXO6pV4qAz7On+amAjS91kVYdopRg5Juj1BVxMvXIpCls1o8qndN6MabFAl5xsEc
         CO54xbKmleU3vOy1L2wi9dOp+gGW8gNnVp9WwUqhQEDhhrRzc7HpUAYCyXBsJzKX/l/d
         GiuXDa4S4/vNdOYqdDB9haXARYhEv5w26GpR5g6CTs4zo9uK9NSg4FHHmxG28MmmWwOm
         8kiQ==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@owlcyberdefense.com header.s=selector1 header.b=Ue8lx03+;
       arc=pass (i=1 spf=pass spfdomain=owlcyberdefense.com dkim=pass dkdomain=owlcyberdefense.com dmarc=pass fromdomain=owlcyberdefense.com);
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id 30si1072033edv.385.2020.12.09.07.33.09;
        Wed, 09 Dec 2020 07:33:17 -0800 (PST)
Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@owlcyberdefense.com header.s=selector1 header.b=Ue8lx03+;
       arc=pass (i=1 spf=pass spfdomain=owlcyberdefense.com dkim=pass dkdomain=owlcyberdefense.com dmarc=pass fromdomain=owlcyberdefense.com);
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729130AbgLIPIK (ORCPT <rfc822;preetikerneldev@gmail.com>
        + 16 others); Wed, 9 Dec 2020 10:08:10 -0500
Received: from mail-bn8nam12on2138.outbound.protection.outlook.com ([40.107.237.138]:52705
        "EHLO NAM12-BN8-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1726851AbgLIPIK (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Wed, 9 Dec 2020 10:08:10 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=BmvrVJOFVsAu8cVVrZWZOzvCRCUYP1WC+gDRjLxc0bGS3RYTBZp5DLeNuo2I/mJc5lGuUZDTsQb6HCAgCFRoweduEFZklI4Esv5XHOf0Oq9EAIbOmTUdTS1fXdd03qS1Pj9jRIqCwbkgnAjZqU6g5Ow/Dif7XXUYv/b20dCAOmFwAiF1r7c9eFs8O7C5Nlci61pWID075/wrw1GNn6limTYqwfh4RGAJlRWAYB5FnDZIY23s+yAV5T+0sZPSYJDO7JSQSkgSNObpdFstCWnLZ/lg/rYsCj4EbjWlBq54Y08Nxi96NQJWlylNj7EjHEcJYSkmKe166E6sdRw2Ovat/A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=EhzLbzifG04bPXG5X3XOc2hYXbHUlBJ6npTdjK9OGFE=;
 b=Qk4OZ0rVIvj23TGjXsxFVI3bCRc3CHpNyicR2Z572Pxhg3XGJbAQCiqFIWp2OLOgrSSxJjI1kBLupKQYc6/9W9lmB2N4XW8hM87Mjgk37AtiM7kXgsKub/oVY/vcqCckrj9JxXBhrSqZVddPHIS0LdDb1FYN3ZgQaRhTyVtg2b42NYmkjZI1R9iqUxj+7rIJp489F/MoGoCUCtrgJCLYEB+rim9bpqj01c7VwIsPQQEyWFftkb8jtAHdz4uWuRB5IFQDNG9606sGegqahHKwLkWgUJiJkiVe/+UaagT4oulopj4VI4hGHbW55grN1zcCRII+9id0PTozkfSBjp/EQQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=owlcyberdefense.com; dmarc=pass action=none
 header.from=owlcyberdefense.com; dkim=pass header.d=owlcyberdefense.com;
 arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=owlcyberdefense.com;
 s=selector1;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=EhzLbzifG04bPXG5X3XOc2hYXbHUlBJ6npTdjK9OGFE=;
 b=Ue8lx03+a9NaoLhDTpjvmznwq/6XfZAHyoVOe3H6FRHuqISysNM4r0i7Xp+H1rOi5dejr+XadRk7g6RMaBCiVaBGT3HMOY+/qkDrt4a0Q5boCFJ107g3M2oD2RzME7siAJVWJN4i9mQFKWDZh9Gb6IxuDALEJSzBiUbgHdjofo8=
Authentication-Results: paul-moore.com; dkim=none (message not signed)
 header.d=none;paul-moore.com; dmarc=none action=none
 header.from=owlcyberdefense.com;
Received: from BN8PR15MB3473.namprd15.prod.outlook.com (2603:10b6:408:75::18)
 by BN6PR15MB1825.namprd15.prod.outlook.com (2603:10b6:405:53::17) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3654.12; Wed, 9 Dec
 2020 15:07:16 +0000
Received: from BN8PR15MB3473.namprd15.prod.outlook.com
 ([fe80::1163:78e6:84a1:12f1]) by BN8PR15MB3473.namprd15.prod.outlook.com
 ([fe80::1163:78e6:84a1:12f1%3]) with mapi id 15.20.3632.023; Wed, 9 Dec 2020
 15:07:16 +0000
Subject: Re: How is policy.31 created from modules under /usr/share/selinux
To:     Richard Haines <richard_c_haines@btinternet.com>,
        Ashish Mishra <ashishm@mvista.com>,
        Chris PeBenito <pebenito@ieee.org>
Cc:     selinux-refpolicy@vger.kernel.org, Paul Moore <paul@paul-moore.com>
References: <CAP2OjcjCFYiyMfqa=X__X6g0U0143U5Fd-xGaKJgGNabFUpr7w@mail.gmail.com>
 <858c9383f7c75e1e39bafaeab6388cd6af902c4f.camel@btinternet.com>
 <CAP2OjciTWXRsYWw9VtOJGUOGj9B35HMXBHF94O6Qc=csg5=Spw@mail.gmail.com>
 <e82841a8b652f4b4b697ba1e417fdac56f443adb.camel@btinternet.com>
 <CAP2OjchJjMo8zMVvHk-_esu-53E0=367yV8cuZtwQwubi7+q=Q@mail.gmail.com>
 <0b58a502b5036e8b92b274068fbea53ca915992e.camel@btinternet.com>
 <CAP2Ojcg7DgQsEHJP3TZj=Q9NjZjqb3ugw+D2UYC4qmqt-PcZWw@mail.gmail.com>
 <2806a33b-87ad-61b1-9143-5a24d770a180@ieee.org>
 <CAP2OjcgtcoUmBQZJSzz2DYQ-g23=RrSXT-uefCROUi3y_tU=tg@mail.gmail.com>
 <1b218c6ab1380164cd6c1c774fa4cd3db6d8eb8c.camel@btinternet.com>
 <CAP2OjciFL+zWnyU8VVp1qbD+1mguR8bB9+XPNSR2gbt6avi93g@mail.gmail.com>
 <a926d6a67a7c4013983c716c8a797b9194e2f81a.camel@btinternet.com>
From:   Steve Lawrence <slawrence@owlcyberdefense.com>
Message-ID: <217b4754-6f3b-cf71-b0be-440f8517312a@owlcyberdefense.com>
Date:   Wed, 9 Dec 2020 10:07:14 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.4.0
In-Reply-To: <a926d6a67a7c4013983c716c8a797b9194e2f81a.camel@btinternet.com>
Content-Type: text/plain; charset=windows-1252
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Originating-IP: [108.51.48.144]
X-ClientProxiedBy: MN2PR16CA0029.namprd16.prod.outlook.com
 (2603:10b6:208:134::42) To BN8PR15MB3473.namprd15.prod.outlook.com
 (2603:10b6:408:75::18)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [192.168.0.103] (108.51.48.144) by MN2PR16CA0029.namprd16.prod.outlook.com (2603:10b6:208:134::42) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3654.12 via Frontend Transport; Wed, 9 Dec 2020 15:07:15 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 6caa3410-e9a0-4ccf-7371-08d89c541ddc
X-MS-TrafficTypeDiagnostic: BN6PR15MB1825:
X-Microsoft-Antispam-PRVS: <BN6PR15MB182581D479E6CE12B1A8E46AA2CC0@BN6PR15MB1825.namprd15.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:2512;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: DC7Wa8P2ZbQH8fe8U9rCimIpw4yLFB28KcwpG/yp6JT0WL0kGqgwDE/yPIvO8gsGL+jEXxApc2FDr7FxQERf7R2C9aftCk+y+JFj2fvgrH/DjNuW069BJrKAhiTCf1A3P3dQ1uiLnkl/92nD3xL2TxTqigBqpRO1vNYqO+1/Z4SbbjFxp0NbtqQNMWN7qrTmEnSIMZsvHT6TSIsjtoZl3RixTAURO+mSO9fwMV3WdK3TyebgEnYFwIY6NtP9mLbpKc7pkxVsJ49wQH7olf1YvhN8ljCr8OgbEY0BLUHA8BljbQiBxEAPi/jBDu6nvLZL9KusyP/jPED9L6S+QkD2rOPO3JkRl5bK0lAlF4HYwR3zEm7gg/uMJo0mw4Ct+AWgMZvztdBpsNIQaEW5l/hbdps28WffSxTgCP9kfpaQff/bOV6Oy0sKTwxqPzLTmwjd
X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN8PR15MB3473.namprd15.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(346002)(136003)(366004)(376002)(5660300002)(2616005)(8676002)(186003)(66946007)(66476007)(2906002)(6486002)(956004)(8936002)(26005)(86362001)(34490700003)(4326008)(31686004)(66556008)(16526019)(31696002)(52116002)(16576012)(36756003)(110136005)(53546011)(508600001)(43740500002)(45980500001);DIR:OUT;SFP:1102;
X-MS-Exchange-AntiSpam-MessageData: =?Windows-1252?Q?8ajr6vJhGkIaeVPt6KnQrxezij9BuyibQkiqWiW/oaaSrCjwiwnn1Tcc?=
 =?Windows-1252?Q?kWGF1exFtLV+7/6JZaAkjWRH/wqz+ialm7rrUKMPzHMGLiCtuo3XhSMs?=
 =?Windows-1252?Q?go7vB5lSvAuME24cwaSqdUC9vnt0CfKnMXDVVS0ipNmv4jHNE5C/CJpd?=
 =?Windows-1252?Q?MyakA9u3MeJ9So20bNVSH91DsBj7cX+n8V6Q516hlbqCY9u558tCJ5Vj?=
 =?Windows-1252?Q?0BW0nEedsHkxzSFMVOApNvyKQh/oLmYoMvJZ6Aoq1+ZviLC/+zgGbE3K?=
 =?Windows-1252?Q?mOT9QOWoA6aaxyyG074tJk4nLqyZFfY8NNJuzRALQHJLMoUQYZPnXEPz?=
 =?Windows-1252?Q?Dakpj2mxg5wv/dERTsTorLL6KrelYd63uvCqdCoawXkj0VjMpRts9mvw?=
 =?Windows-1252?Q?OuwxuheRljHvYd2F9wE2nLfvFjAJglOn4bVGoDi2q/eFNyzCcd2t+6Ok?=
 =?Windows-1252?Q?QizANsu8gnyvJiGNKYgyxDC+jcsH3lqzXA2bVNlwpxos3AQUWGnU7yAb?=
 =?Windows-1252?Q?b/gqaMpedL5QWLpQa/b+3J+3w+jR4iLjKp/9NI/Fz4JjnnAKKJEbjD4x?=
 =?Windows-1252?Q?n4kIHFFz0xUXOr3Hrj75CYjZI3Mn42gizfA0Q+QllZJP6AV6fowBa7ng?=
 =?Windows-1252?Q?seJ1XItkmttldawaDzEsaduvI8uCZgjGcO/pLKSc+COSOakF6MogsYUO?=
 =?Windows-1252?Q?89KTjw+C3NO+BG0YAIm9R9G9eIvIy/1l5eeG4KMwkuj40Owy/QlDLNTO?=
 =?Windows-1252?Q?DbifVff4A5IP82/bxXfNc+Wn0Rtjw6en47akFHTtRHwWjJac8rnfEtum?=
 =?Windows-1252?Q?dfb1IAdfMQ0qvE5opOeHWde6VKf7CVQDx50LVFhfq5lPcmE3eNkDJTMY?=
 =?Windows-1252?Q?voyVJDrK2/znusVufYoZvDZTJ75w4o24bG6S9YLLiKZUVZ0/u9pmGs5v?=
 =?Windows-1252?Q?nuO0OtemU0IDJvV/9jF2tRt7CXapvcbmlbJ7T4pMLkIs6ROL9CCHiW6m?=
 =?Windows-1252?Q?qVmAKt+sEJdKPMVE2FqaA3qphwpy8BL634/ssmVOwOpFY72m8m22CtTp?=
 =?Windows-1252?Q?8ntNwCxPul6YKjuz?=
X-OriginatorOrg: owlcyberdefense.com
X-MS-Exchange-CrossTenant-AuthSource: BN8PR15MB3473.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Dec 2020 15:07:16.3868
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: a0d45667-6c07-4e88-868f-4ac9af95c7ed
X-MS-Exchange-CrossTenant-Network-Message-Id: 6caa3410-e9a0-4ccf-7371-08d89c541ddc
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: OOejjegoWWKoJ8DNgZLavKcSDxmxwUGCBayxclHQUn61q2qUj1S9UuSbQACSCDhvy6OviMR831UG4ItTy+jcCg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR15MB1825
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org


On 12/9/20 9:37 AM, Richard Haines wrote:
> On Wed, 2020-12-09 at 19:42 +0530, Ashish Mishra wrote:
>> Hi Richard ,
>>
>> Will check with the monolithic policy to check the behavior of the
>> semodule as you suggested.
>>
>> Is there any similar approach / workaround for modular one?
> 
> I've only had a quick look at code and I could see two ways to fix:
> 1) Modify the Rules.modular part of the make file to move or copy the
> policy and file contexts set of files over to $DESTDIR.
> 2) Modify semodule/semanage to handle $DESTDIR. I think this would be
> more difficult to fix as lots go on here.
> 

semodule does accept the -p option to change the root, so we could feed
DESTDIR into that. For example, a minimally tested patch:

diff --git a/Rules.modular b/Rules.modular
index d6224e95..64d953dc 100644
--- a/Rules.modular
+++ b/Rules.modular
@@ -55,8 +55,8 @@ load: $(instpkg) $(appfiles)
 # make sure two directories exist since they are not
 # created by semanage
 	@echo "Loading configured modules."
-	@$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath))
-	$(verbose) $(SEMODULE) -s $(NAME) -i $(modpkgdir)/$(notdir
$(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod))
+	@$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath))
$(DESTDIR)/var/lib/selinux
+	$(verbose) $(SEMODULE) -p $(DESTDIR)/ -s $(NAME) -i
$(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i
$(modpkgdir)/$(mod))

 ########################################
 #


Note that we need to create $(DESTDIR)/var/lib/selinux since semanage
expects that to already exist.

Though, I would suggest that maybe the "install" target should run the
above semodule command with the --noreload option to install all files
and build the policy binary but not actually load it into the kernel.
Then make load just becomes something like

  semodule -p $(DESTDIR)/ --reload

Makes a clear distinction between installing everything that's needed
vs actually loading the policy into the kernel. Happy to create a patch
if that approach makes sense.