Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp4095592pxu;
        Wed, 9 Dec 2020 08:15:33 -0800 (PST)
X-Google-Smtp-Source: ABdhPJz3QTsTmtYN5yrFdYb6Wz4VOkJbEXyDNK0vhIi5G/3URRlR+U0N2z1DYzATbRyZIiuigqYX
X-Received: by 2002:a50:ee1a:: with SMTP id g26mr2750610eds.68.1607530533322;
        Wed, 09 Dec 2020 08:15:33 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1607530533; cv=none;
        d=google.com; s=arc-20160816;
        b=pcGa25sfe+DXa5BnSvnSof02YZN47T4Ue06JefbdbnmCnQj/P0y/OBGIhApJeoAcZn
         /BBZob2b/GejdbVBdLI6FmuT1W7jfoEPerYjf/cM89Pac9iGsF5B6zoVy/lYd7/lDGtW
         /faRB+Y4Q6BEc4Un3RaCgZxQLOdApNYTXA3vCTW9j4cW0s2R5VjNkvRKGkBBxDKp9AZm
         /VnTIgBEm3B8hW8d+nMREPbAZI37uKHhyZi8AEgBlXfoef1LKZX/lL4wUYB9HyCMDCoH
         qY5uvF2DaOEhyAGfRyVxes8UL40k37yxQbT4G2wayxD4FPJOgETbtmt+asWG6EK+X+MK
         kqnw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:date:cc:to:from:subject
         :message-id:dkim-signature;
        bh=SUUCmiD2240OaCw20yjzUcMmlsh7SQBZGa6bkxQb7C8=;
        b=kueeEX31RymI0Q6ZKZaJJyfxPKqwCzEQ6W/87AFHi9RcAAuxLIXRA+T4rpjGZvQLq/
         mVyC340g+oJOlECg9F+zFZCuonvQ5ZC6KXXpQmx4ciluSNSU9jwXd/Xv62pmxB+fMrL5
         hAkgcH+y+TAHR6MxtpCi/1JZB3fNnqcJYMav3rKP7pEHSymidOCEpNKHkBuo+OKXqCcz
         9NZaGYPxVbPZgBvdMfg2ixlBPqqW5T3DqWjHt92CsB9/9HWUAqfG3eobiiGJeep3U1jj
         C8kozv3ES5jvG7JwqjcC6YipAIYzPhiZrcQsAOPo6AMGBY/Cbl/RvXk40IIMq1cvghEz
         fh+A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@btinternet.com header.s=btmx201904 header.b=VyLsHY+X;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=btinternet.com
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id z40si1084058ede.39.2020.12.09.08.15.26;
        Wed, 09 Dec 2020 08:15:33 -0800 (PST)
Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@btinternet.com header.s=btmx201904 header.b=VyLsHY+X;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=btinternet.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727059AbgLIQO2 (ORCPT <rfc822;preetikerneldev@gmail.com>
        + 16 others); Wed, 9 Dec 2020 11:14:28 -0500
Received: from mailomta1-re.btinternet.com ([213.120.69.94]:46009 "EHLO
        re-prd-fep-045.btinternet.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1726247AbgLIQO2 (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Wed, 9 Dec 2020 11:14:28 -0500
Received: from re-prd-rgout-002.btmx-prd.synchronoss.net ([10.2.54.5])
          by re-prd-fep-045.btinternet.com with ESMTP
          id <20201209161344.JUVF30806.re-prd-fep-045.btinternet.com@re-prd-rgout-002.btmx-prd.synchronoss.net>;
          Wed, 9 Dec 2020 16:13:44 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1607530424; 
        bh=SUUCmiD2240OaCw20yjzUcMmlsh7SQBZGa6bkxQb7C8=;
        h=Message-ID:Subject:From:To:Cc:Date:In-Reply-To:References:MIME-Version;
        b=VyLsHY+X+QpZX984/BnW5mzAS9cJfY6dEQuOPoHIyplDHdmQCgxXfPfN6wCJTQwccKjxlvt1OoO4hojZ01N5eCaUqNSjuGaxifZJvjRNe8vUdWnYymkogqKvVTdE7+iHgSUO4/6GCMOsnXQ5cEA6v9E+hXHMUB0fqp74HbNnzfF1gb1S5pJqAtC0jQwVvpd9Mrk0SrdguJNxhyv4QR34kikGywb4VqHJtRngVAgpTam0Y/yfx8xhVWluUP/IXOH7lSZCaGzKlQpNawrvZEdc8mgW8tGbc8XrDKD7pLTIq/77VH3f99CCXgtIKER7Gt0qsrhintYPJt1Z+3YfLWT2qw==
Authentication-Results: btinternet.com;
    auth=pass (LOGIN) smtp.auth=richard_c_haines@btinternet.com
X-SNCR-Rigid: 5ED9C0CC1DCAACF0
X-Originating-IP: [213.122.112.1]
X-OWM-Source-IP: 213.122.112.1 (GB)
X-OWM-Env-Sender: richard_c_haines@btinternet.com
X-VadeSecure-score: verdict=clean score=0/300, class=clean
X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgedujedrudejkedgkeeiucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpefkuffhvfffjghftggfggfgsehtkeertddtreejnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpefhkeegheduudeggfffkeehheettefgjedugefhhfevuedvveduhedtleejkeduveenucfkphepvddufedruddvvddrudduvddrudenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhephhgvlhhopegludelvddrudeikedruddrudelkegnpdhinhgvthepvddufedruddvvddrudduvddruddpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomhequceuqfffjgepkeeukffvoffkoffgpdhrtghpthhtohepoegrshhhihhshhhmsehmvhhishhtrgdrtghomheqpdhrtghpthhtohepoehprghulhesphgruhhlqdhmohhorhgvrdgtohhmqedprhgtphhtthhopeeophgvsggvnhhithhosehivggvvgdrohhrgheqpdhrtghpthhtohepoehsvghlihhnuhigqdhrvghfphholhhitgihsehvghgvrhdrkhgvrhhnvghlrdhorhhgqedprhgt
        phhtthhopeeoshhlrgifrhgvnhgtvgesohiflhgthigsvghruggvfhgvnhhsvgdrtghomheq
X-RazorGate-Vade-Verdict: clean 0
X-RazorGate-Vade-Classification: clean
X-SNCR-hdrdom: btinternet.com
Received: from [192.168.1.198] (213.122.112.1) by re-prd-rgout-002.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com)
        id 5ED9C0CC1DCAACF0; Wed, 9 Dec 2020 16:13:44 +0000
Message-ID: <cb30c0ce026bbad58666570dd92e172c4ae95955.camel@btinternet.com>
Subject: Re: How is policy.31 created from modules under /usr/share/selinux
From:   Richard Haines <richard_c_haines@btinternet.com>
To:     Steve Lawrence <slawrence@owlcyberdefense.com>,
        Ashish Mishra <ashishm@mvista.com>,
        Chris PeBenito <pebenito@ieee.org>
Cc:     selinux-refpolicy@vger.kernel.org, Paul Moore <paul@paul-moore.com>
Date:   Wed, 09 Dec 2020 16:13:43 +0000
In-Reply-To: <217b4754-6f3b-cf71-b0be-440f8517312a@owlcyberdefense.com>
References: <CAP2OjcjCFYiyMfqa=X__X6g0U0143U5Fd-xGaKJgGNabFUpr7w@mail.gmail.com>
         <858c9383f7c75e1e39bafaeab6388cd6af902c4f.camel@btinternet.com>
         <CAP2OjciTWXRsYWw9VtOJGUOGj9B35HMXBHF94O6Qc=csg5=Spw@mail.gmail.com>
         <e82841a8b652f4b4b697ba1e417fdac56f443adb.camel@btinternet.com>
         <CAP2OjchJjMo8zMVvHk-_esu-53E0=367yV8cuZtwQwubi7+q=Q@mail.gmail.com>
         <0b58a502b5036e8b92b274068fbea53ca915992e.camel@btinternet.com>
         <CAP2Ojcg7DgQsEHJP3TZj=Q9NjZjqb3ugw+D2UYC4qmqt-PcZWw@mail.gmail.com>
         <2806a33b-87ad-61b1-9143-5a24d770a180@ieee.org>
         <CAP2OjcgtcoUmBQZJSzz2DYQ-g23=RrSXT-uefCROUi3y_tU=tg@mail.gmail.com>
         <1b218c6ab1380164cd6c1c774fa4cd3db6d8eb8c.camel@btinternet.com>
         <CAP2OjciFL+zWnyU8VVp1qbD+1mguR8bB9+XPNSR2gbt6avi93g@mail.gmail.com>
         <a926d6a67a7c4013983c716c8a797b9194e2f81a.camel@btinternet.com>
         <217b4754-6f3b-cf71-b0be-440f8517312a@owlcyberdefense.com>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.38.1 (3.38.1-1.fc33) 
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

On Wed, 2020-12-09 at 10:07 -0500, Steve Lawrence wrote:
> 
> On 12/9/20 9:37 AM, Richard Haines wrote:
> > On Wed, 2020-12-09 at 19:42 +0530, Ashish Mishra wrote:
> > > Hi Richard ,
> > > 
> > > Will check with the monolithic policy to check the behavior of
> > > the
> > > semodule as you suggested.
> > > 
> > > Is there any similar approach / workaround for modular one?
> > 
> > I've only had a quick look at code and I could see two ways to fix:
> > 1) Modify the Rules.modular part of the make file to move or copy
> > the
> > policy and file contexts set of files over to $DESTDIR.
> > 2) Modify semodule/semanage to handle $DESTDIR. I think this would
> > be
> > more difficult to fix as lots go on here.
> > 
> 
> semodule does accept the -p option to change the root, so we could
> feed
> DESTDIR into that. For example, a minimally tested patch:
> 
> diff --git a/Rules.modular b/Rules.modular
> index d6224e95..64d953dc 100644
> --- a/Rules.modular
> +++ b/Rules.modular
> @@ -55,8 +55,8 @@ load: $(instpkg) $(appfiles)
>  # make sure two directories exist since they are not
>  # created by semanage
>         @echo "Loading configured modules."
> -       @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath))
> -       $(verbose) $(SEMODULE) -s $(NAME) -i $(modpkgdir)/$(notdir
> $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod))
> +       @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath))
> $(DESTDIR)/var/lib/selinux
> +       $(verbose) $(SEMODULE) -p $(DESTDIR)/ -s $(NAME) -i
> $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i
> $(modpkgdir)/$(mod))
> 
>  ########################################
>  #
> 
> 
> Note that we need to create $(DESTDIR)/var/lib/selinux since semanage
> expects that to already exist.
> 
> Though, I would suggest that maybe the "install" target should run
> the
> above semodule command with the --noreload option to install all
> files
> and build the policy binary but not actually load it into the kernel.
> Then make load just becomes something like
> 
>   semodule -p $(DESTDIR)/ --reload
> 
> Makes a clear distinction between installing everything that's needed
> vs actually loading the policy into the kernel. Happy to create a
> patch
> if that approach makes sense.

Thanks Steve, that worked for me, however I guess Chris needs to
comment as the $(DESTDIR)/var/lib/selinux needs to be generated and
maybe a clarification comment in the README. Also need comment
regarding the use of --reload/--noreload.