Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp2641701pxu; Mon, 14 Dec 2020 07:31:05 -0800 (PST) X-Google-Smtp-Source: ABdhPJzmNH0HIMwISzLul6HS9ztoLEITlC364jDHf8Wbf/NlrXgHhHo0+Vr34uL067Pd9VDS0fsA X-Received: by 2002:a17:907:da7:: with SMTP id go39mr23963405ejc.58.1607959865576; Mon, 14 Dec 2020 07:31:05 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1607959865; cv=none; d=google.com; s=arc-20160816; b=j3mfqxBumM5qFW6UOSNfG/40AQxIYyoDITfSTShbV537ECyUVHgAqcpkbXLByV58Q7 /6gaG0Z4dfScc0aJhJcY2oxeZjZEUXmn7COy6iTjM2HhPRm9ymYQBFA0oJt5T9MMaJUT Nv07jnpElh+qWzLS/Kzx03Z/an+q0CmNNw5kMNr4kq4Ohf5rpMm124GKz/CRddXuyKPj aBXnj/gdv6uKAWLlTytJitdMIbOvL8w3zs1VD7ITEJ1AsHkN8RuXWpWgPY/FDl9mUJtG JJk/+gUh6RdiqLVfhQColYfRT6AXDLm2f3OT47kxId7Z5UWFi1lZ5zEMgYknmeqsFjOj t7ow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject:dkim-signature; bh=PvSgNL12bM319aPOHlpb3tyzabyFAN5dmy0SJgUk5Yk=; b=A1w89WFq8laW3/AoGFwXTG0DGo4mG4nFD4ttydjx2HM42gDraIMrUFI+rntxIwMTlP hkauZE4VzfTMxENTtDX6ZCyk5HFYFqLWKOuQpDY/+A0Mk9J6cZPE7zPq2qCghpp7IteF bgkoKDv9jqbNuG/NivU+fHwWQ9n2QUqgejcX5F9WjdKJby3DEz1qE8KOM3ubUVB3P8pp Rje6pWGZ5Wo8YTjn0Zi7zWh27zLAdC9ilcS4nl7DWpQ7X4VDh40SpcIgJNIZCFc6lOvc 3+IdOKfV64H3znXTaP8jzEldCdN3ub5DzWapGLYCFFjExtajb0LNNTMPflMhURZbeBrc kn8Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=Cajk7ZMK; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id x9si11998109eje.109.2020.12.14.07.31.00; Mon, 14 Dec 2020 07:31:05 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=Cajk7ZMK; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2438622AbgLNPRV (ORCPT + 16 others); Mon, 14 Dec 2020 10:17:21 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52368 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2438598AbgLNPRT (ORCPT ); Mon, 14 Dec 2020 10:17:19 -0500 Received: from mail-qk1-x72a.google.com (mail-qk1-x72a.google.com [IPv6:2607:f8b0:4864:20::72a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 96005C0613D3 for ; Mon, 14 Dec 2020 07:16:39 -0800 (PST) Received: by mail-qk1-x72a.google.com with SMTP id c7so15860657qke.1 for ; Mon, 14 Dec 2020 07:16:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=PvSgNL12bM319aPOHlpb3tyzabyFAN5dmy0SJgUk5Yk=; b=Cajk7ZMKZAbPTO5Oylg+eUh+hTsfMlmR2IQRoTb97RDI+5NE6W8LPZ4TWLODDRWhI/ gxZDhixUJVpsko5V3+aoYGfxh8ZZU/T+lph3Y65ucjD2NXNG1urrGBBJUmGjAwKx3MsH tw1mx0SBla0AT/KeySZHz3gYTALS3HuC0JxPc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=PvSgNL12bM319aPOHlpb3tyzabyFAN5dmy0SJgUk5Yk=; b=mYrHW42HaSWkq0kQYTn4TjxG57pIe0fOB20frAKDezUpT0G4cZCzYLMPVUHIJG4uFN h5xaPlB28gEaxW/BUII4DjjsUTriOnVR3dYRL5EUtbbDRIXk+RxcrkBmtN2fuRTG/28d Yd4yZ4Leq54Q8jAWj4HktD1jiQCjWMRrkaAZueVHVcAstjehHHjm21D0G0TtIMecP8oE DAwCWImhqO0kGJaj+y4LwqSAyUjzuzt6eKxMyLW/tsIEQAUL9WG2Gy32q8XhJFzAr+KX 2ZLbytaZe7pxXTFZ7GsD6qUgG2hcJl+xaMuc+gQFjxNgAVsasFbRnTJEZMHKhn+KCmxb fHAA== X-Gm-Message-State: AOAM530jR9YdEdip4EyduNqzRZVtOdtVKYz8QE5W2C/90RUW7cwatiu8 F1m+gUQsf4vBACTzcuKD6rVS4Q== X-Received: by 2002:a05:620a:2e6:: with SMTP id a6mr31668241qko.375.1607958998766; Mon, 14 Dec 2020 07:16:38 -0800 (PST) Received: from fedora.pebenito.net (pool-96-234-173-17.bltmmd.fios.verizon.net. [96.234.173.17]) by smtp.gmail.com with ESMTPSA id x185sm14332269qkb.87.2020.12.14.07.16.38 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 14 Dec 2020 07:16:38 -0800 (PST) Subject: Re: How is policy.31 created from modules under /usr/share/selinux To: Ashish Mishra Cc: Richard Haines , Steve Lawrence , selinux-refpolicy@vger.kernel.org, Paul Moore References: <0b58a502b5036e8b92b274068fbea53ca915992e.camel@btinternet.com> <2806a33b-87ad-61b1-9143-5a24d770a180@ieee.org> <1b218c6ab1380164cd6c1c774fa4cd3db6d8eb8c.camel@btinternet.com> <217b4754-6f3b-cf71-b0be-440f8517312a@owlcyberdefense.com> <950fdabd-07a4-0446-3a3d-4928a14e5962@ieee.org> From: Chris PeBenito Message-ID: <33c70a8e-09be-d779-33ec-a07cbf22440f@ieee.org> Date: Mon, 14 Dec 2020 10:16:36 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 12/13/20 12:06 PM, Ashish Mishra wrote: > Hi Chris / Richard / Steve , > > I tried the suggested approach w.r.t Monolithic & also the patch suggested . > It seems it's creating policy.31 under DESTDIR directories . > > a) Is there anything I can check specifically and share observations ? I don't understand what you're asking. > b) Any link where we have this thread available for future reference. > I wanted to know if we have any archive which can be accessed like > other community > Something like https://lists.yoctoproject.org/g/poky/topics The mail list archive is here: https://lore.kernel.org/selinux-refpolicy/ > On Thu, Dec 10, 2020 at 3:32 AM Chris PeBenito wrote: >> >> On 12/9/20 11:13 AM, Richard Haines wrote: >>> On Wed, 2020-12-09 at 10:07 -0500, Steve Lawrence wrote: >>>> >>>> On 12/9/20 9:37 AM, Richard Haines wrote: >>>>> On Wed, 2020-12-09 at 19:42 +0530, Ashish Mishra wrote: >>>>>> Hi Richard , >>>>>> >>>>>> Will check with the monolithic policy to check the behavior of >>>>>> the >>>>>> semodule as you suggested. >>>>>> >>>>>> Is there any similar approach / workaround for modular one? >>>>> >>>>> I've only had a quick look at code and I could see two ways to fix: >>>>> 1) Modify the Rules.modular part of the make file to move or copy >>>>> the >>>>> policy and file contexts set of files over to $DESTDIR. >>>>> 2) Modify semodule/semanage to handle $DESTDIR. I think this would >>>>> be >>>>> more difficult to fix as lots go on here. >>>>> >>>> >>>> semodule does accept the -p option to change the root, so we could >>>> feed >>>> DESTDIR into that. For example, a minimally tested patch: >>>> >>>> diff --git a/Rules.modular b/Rules.modular >>>> index d6224e95..64d953dc 100644 >>>> --- a/Rules.modular >>>> +++ b/Rules.modular >>>> @@ -55,8 +55,8 @@ load: $(instpkg) $(appfiles) >>>> # make sure two directories exist since they are not >>>> # created by semanage >>>> @echo "Loading configured modules." >>>> - @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath)) >>>> - $(verbose) $(SEMODULE) -s $(NAME) -i $(modpkgdir)/$(notdir >>>> $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod)) >>>> + @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath)) >>>> $(DESTDIR)/var/lib/selinux >>>> + $(verbose) $(SEMODULE) -p $(DESTDIR)/ -s $(NAME) -i >>>> $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i >>>> $(modpkgdir)/$(mod)) >>>> >>>> ######################################## >>>> # >>>> >>>> >>>> Note that we need to create $(DESTDIR)/var/lib/selinux since semanage >>>> expects that to already exist. >>>> >>>> Though, I would suggest that maybe the "install" target should run >>>> the >>>> above semodule command with the --noreload option to install all >>>> files >>>> and build the policy binary but not actually load it into the kernel. >>>> Then make load just becomes something like >>>> >>>> semodule -p $(DESTDIR)/ --reload >>>> >>>> Makes a clear distinction between installing everything that's needed >>>> vs actually loading the policy into the kernel. Happy to create a >>>> patch >>>> if that approach makes sense. >>> >>> Thanks Steve, that worked for me, however I guess Chris needs to >>> comment as the $(DESTDIR)/var/lib/selinux needs to be generated and >>> maybe a clarification comment in the README. Also need comment >>> regarding the use of --reload/--noreload. >> >> To my knowledge, the history is that semodule was only intended to run on the >> target system. If you wanted to precreate a policy you could >> semodule_link+semodule_expand like what is leveraged in the validate target. >> >> I'd take a patch that changes the Makefile behavior but would like some real >> testing first. >> >> -- >> Chris PeBenito -- Chris PeBenito