Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp4095592pxu; Wed, 9 Dec 2020 08:15:33 -0800 (PST) X-Google-Smtp-Source: ABdhPJz3QTsTmtYN5yrFdYb6Wz4VOkJbEXyDNK0vhIi5G/3URRlR+U0N2z1DYzATbRyZIiuigqYX X-Received: by 2002:a50:ee1a:: with SMTP id g26mr2750610eds.68.1607530533322; Wed, 09 Dec 2020 08:15:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1607530533; cv=none; d=google.com; s=arc-20160816; b=pcGa25sfe+DXa5BnSvnSof02YZN47T4Ue06JefbdbnmCnQj/P0y/OBGIhApJeoAcZn /BBZob2b/GejdbVBdLI6FmuT1W7jfoEPerYjf/cM89Pac9iGsF5B6zoVy/lYd7/lDGtW /faRB+Y4Q6BEc4Un3RaCgZxQLOdApNYTXA3vCTW9j4cW0s2R5VjNkvRKGkBBxDKp9AZm /VnTIgBEm3B8hW8d+nMREPbAZI37uKHhyZi8AEgBlXfoef1LKZX/lL4wUYB9HyCMDCoH qY5uvF2DaOEhyAGfRyVxes8UL40k37yxQbT4G2wayxD4FPJOgETbtmt+asWG6EK+X+MK kqnw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:date:cc:to:from:subject :message-id:dkim-signature; bh=SUUCmiD2240OaCw20yjzUcMmlsh7SQBZGa6bkxQb7C8=; b=kueeEX31RymI0Q6ZKZaJJyfxPKqwCzEQ6W/87AFHi9RcAAuxLIXRA+T4rpjGZvQLq/ mVyC340g+oJOlECg9F+zFZCuonvQ5ZC6KXXpQmx4ciluSNSU9jwXd/Xv62pmxB+fMrL5 hAkgcH+y+TAHR6MxtpCi/1JZB3fNnqcJYMav3rKP7pEHSymidOCEpNKHkBuo+OKXqCcz 9NZaGYPxVbPZgBvdMfg2ixlBPqqW5T3DqWjHt92CsB9/9HWUAqfG3eobiiGJeep3U1jj C8kozv3ES5jvG7JwqjcC6YipAIYzPhiZrcQsAOPo6AMGBY/Cbl/RvXk40IIMq1cvghEz fh+A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@btinternet.com header.s=btmx201904 header.b=VyLsHY+X; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=btinternet.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z40si1084058ede.39.2020.12.09.08.15.26; Wed, 09 Dec 2020 08:15:33 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@btinternet.com header.s=btmx201904 header.b=VyLsHY+X; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=btinternet.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727059AbgLIQO2 (ORCPT + 16 others); Wed, 9 Dec 2020 11:14:28 -0500 Received: from mailomta1-re.btinternet.com ([213.120.69.94]:46009 "EHLO re-prd-fep-045.btinternet.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726247AbgLIQO2 (ORCPT ); Wed, 9 Dec 2020 11:14:28 -0500 Received: from re-prd-rgout-002.btmx-prd.synchronoss.net ([10.2.54.5]) by re-prd-fep-045.btinternet.com with ESMTP id <20201209161344.JUVF30806.re-prd-fep-045.btinternet.com@re-prd-rgout-002.btmx-prd.synchronoss.net>; Wed, 9 Dec 2020 16:13:44 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1607530424; bh=SUUCmiD2240OaCw20yjzUcMmlsh7SQBZGa6bkxQb7C8=; h=Message-ID:Subject:From:To:Cc:Date:In-Reply-To:References:MIME-Version; b=VyLsHY+X+QpZX984/BnW5mzAS9cJfY6dEQuOPoHIyplDHdmQCgxXfPfN6wCJTQwccKjxlvt1OoO4hojZ01N5eCaUqNSjuGaxifZJvjRNe8vUdWnYymkogqKvVTdE7+iHgSUO4/6GCMOsnXQ5cEA6v9E+hXHMUB0fqp74HbNnzfF1gb1S5pJqAtC0jQwVvpd9Mrk0SrdguJNxhyv4QR34kikGywb4VqHJtRngVAgpTam0Y/yfx8xhVWluUP/IXOH7lSZCaGzKlQpNawrvZEdc8mgW8tGbc8XrDKD7pLTIq/77VH3f99CCXgtIKER7Gt0qsrhintYPJt1Z+3YfLWT2qw== Authentication-Results: btinternet.com; auth=pass (LOGIN) smtp.auth=richard_c_haines@btinternet.com X-SNCR-Rigid: 5ED9C0CC1DCAACF0 X-Originating-IP: [213.122.112.1] X-OWM-Source-IP: 213.122.112.1 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgedujedrudejkedgkeeiucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpefkuffhvfffjghftggfggfgsehtkeertddtreejnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpefhkeegheduudeggfffkeehheettefgjedugefhhfevuedvveduhedtleejkeduveenucfkphepvddufedruddvvddrudduvddrudenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhephhgvlhhopegludelvddrudeikedruddrudelkegnpdhinhgvthepvddufedruddvvddrudduvddruddpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhequceuqfffjgepkeeukffvoffkoffgpdhrtghpthhtohepoegrshhhihhshhhmsehmvhhishhtrgdrtghomheqpdhrtghpthhtohepoehprghulhesphgruhhlqdhmohhorhgvrdgtohhmqedprhgtphhtthhopeeophgvsggvnhhithhosehivggvvgdrohhrgheqpdhrtghpthhtohepoehsvghlihhnuhigqdhrvghfphholhhitgihsehvghgvrhdrkhgvrhhnvghlrdhorhhgqedprhgt phhtthhopeeoshhlrgifrhgvnhgtvgesohiflhgthigsvghruggvfhgvnhhsvgdrtghomheq X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from [192.168.1.198] (213.122.112.1) by re-prd-rgout-002.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com) id 5ED9C0CC1DCAACF0; Wed, 9 Dec 2020 16:13:44 +0000 Message-ID: Subject: Re: How is policy.31 created from modules under /usr/share/selinux From: Richard Haines To: Steve Lawrence , Ashish Mishra , Chris PeBenito Cc: selinux-refpolicy@vger.kernel.org, Paul Moore Date: Wed, 09 Dec 2020 16:13:43 +0000 In-Reply-To: <217b4754-6f3b-cf71-b0be-440f8517312a@owlcyberdefense.com> References: <858c9383f7c75e1e39bafaeab6388cd6af902c4f.camel@btinternet.com> <0b58a502b5036e8b92b274068fbea53ca915992e.camel@btinternet.com> <2806a33b-87ad-61b1-9143-5a24d770a180@ieee.org> <1b218c6ab1380164cd6c1c774fa4cd3db6d8eb8c.camel@btinternet.com> <217b4754-6f3b-cf71-b0be-440f8517312a@owlcyberdefense.com> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.38.1 (3.38.1-1.fc33) MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On Wed, 2020-12-09 at 10:07 -0500, Steve Lawrence wrote: > > On 12/9/20 9:37 AM, Richard Haines wrote: > > On Wed, 2020-12-09 at 19:42 +0530, Ashish Mishra wrote: > > > Hi Richard , > > > > > > Will check with the monolithic policy to check the behavior of > > > the > > > semodule as you suggested. > > > > > > Is there any similar approach / workaround for modular one? > > > > I've only had a quick look at code and I could see two ways to fix: > > 1) Modify the Rules.modular part of the make file to move or copy > > the > > policy and file contexts set of files over to $DESTDIR. > > 2) Modify semodule/semanage to handle $DESTDIR. I think this would > > be > > more difficult to fix as lots go on here. > > > > semodule does accept the -p option to change the root, so we could > feed > DESTDIR into that. For example, a minimally tested patch: > > diff --git a/Rules.modular b/Rules.modular > index d6224e95..64d953dc 100644 > --- a/Rules.modular > +++ b/Rules.modular > @@ -55,8 +55,8 @@ load: $(instpkg) $(appfiles) >  # make sure two directories exist since they are not >  # created by semanage >         @echo "Loading configured modules." > -       @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath)) > -       $(verbose) $(SEMODULE) -s $(NAME) -i $(modpkgdir)/$(notdir > $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod)) > +       @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath)) > $(DESTDIR)/var/lib/selinux > +       $(verbose) $(SEMODULE) -p $(DESTDIR)/ -s $(NAME) -i > $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i > $(modpkgdir)/$(mod)) > >  ######################################## >  # > > > Note that we need to create $(DESTDIR)/var/lib/selinux since semanage > expects that to already exist. > > Though, I would suggest that maybe the "install" target should run > the > above semodule command with the --noreload option to install all > files > and build the policy binary but not actually load it into the kernel. > Then make load just becomes something like > >   semodule -p $(DESTDIR)/ --reload > > Makes a clear distinction between installing everything that's needed > vs actually loading the policy into the kernel. Happy to create a > patch > if that approach makes sense. Thanks Steve, that worked for me, however I guess Chris needs to comment as the $(DESTDIR)/var/lib/selinux needs to be generated and maybe a clarification comment in the README. Also need comment regarding the use of --reload/--noreload.