Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp1384217pxu; Thu, 17 Dec 2020 08:43:49 -0800 (PST) X-Google-Smtp-Source: ABdhPJwMwkv8vLE6VH3Q4hr+QJetftteJj88WgLzuiF7VsQQRZbxG4rCMulYd7n799vyJ/PLMb6k X-Received: by 2002:a17:906:85cd:: with SMTP id i13mr36288181ejy.553.1608223429567; Thu, 17 Dec 2020 08:43:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608223429; cv=none; d=google.com; s=arc-20160816; b=mtuvRrvR6bGj+oC7e+hmtVUwBXQjxXHxN0Y0nDE416lPk4ai3BEuyvq6so//X4vLhX yYdDhKQaw4hsaiw25yvn+9GpO8GFCcZwdAN/+2UB/FMZcrDxTuW/UOzLeH2HtkY/kQYW phJ5OPri9p24UbjwzJH3K00CS4Xe0Sa3Ze9+iaaLrnuIECBxQQyaBZU0oDQVv3lcPPg/ /W/HdDP2mBCCoGokLfDKVY8VnND4YTAoZETbohWrHTWAsnCI6pz5IWxogr18CBi/HWb6 uFXhXvgusaBjdiY4ZZL0dNaQbMekvho6/KNv+4lLPvmj9k8B7nGyeQixn0IjhCwKwnqM CYZw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=WJMSidpFFu1VxUpQj8Xosw/mqGeDsA9IjOCH0S+OlRQ=; b=U8LQORvTHm+iqM08wSKdbpr9tQov3G5GTVUPvfuRgiWTDm5UQkMffY3d2VBhqVzeiY O4J27mhTjW74TDoRzsKdKHKeZ4Lw5Oqb5TO02aIBmOcdbPPNdKm8mgqeFTXarllMOubt gcGdHay4ITQPcWdhd+sUG0zAxvpcku93b2/JHn9DWpVCOFRsvMHOJOQO/BqezV8k+0do HdEnm3VRv1XAK5N9+4EJCK5M2X75oNiWAjQRKp1qZgJhnYPnxRRkV15AV8QsPBrAOWPQ e2+JQDNRkARvCfwxVgRdayKBCUCVKP/KUvpYssotuGUQS3UAAy/Z545x+KBytfD2cU8E +CfQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@btinternet.com header.s=btmx201904 header.b=sMDo6jdg; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=btinternet.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h4si2865642eje.526.2020.12.17.08.43.43; Thu, 17 Dec 2020 08:43:49 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@btinternet.com header.s=btmx201904 header.b=sMDo6jdg; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=btinternet.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727185AbgLQQnh (ORCPT + 18 others); Thu, 17 Dec 2020 11:43:37 -0500 Received: from mailomta7-sa.btinternet.com ([213.120.69.13]:21995 "EHLO sa-prd-fep-045.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1728080AbgLQQng (ORCPT ); Thu, 17 Dec 2020 11:43:36 -0500 Received: from sa-prd-rgout-005.btmx-prd.synchronoss.net ([10.2.38.8]) by sa-prd-fep-045.btinternet.com with ESMTP id <20201217164254.CKSY32244.sa-prd-fep-045.btinternet.com@sa-prd-rgout-005.btmx-prd.synchronoss.net>; Thu, 17 Dec 2020 16:42:54 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1608223374; bh=WJMSidpFFu1VxUpQj8Xosw/mqGeDsA9IjOCH0S+OlRQ=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:MIME-Version; b=sMDo6jdgr/ygM0ebiAdp+0RV8gY9JZqKXf3deLxLPJVO8v1fwY6PmB4RbAFH5Ve/HKaKLQ9ylTrt56uHsPWg7cI+LsOt6I35wPrcVwPjgZjxeYj783rUaZKfPMVHroyDOHXmVeZV1i7/Dfw1S2LEsxqNPFpfqQaZQ4GV19Nb3e0flnVxE/N/R/tIKXJOW29UdiLHKC1Vth6b9epCrixSGIMEy8LZBHxoTTQ8TuFi2mr8zYCLaRZsdjq3gI31GhZTH+gip2HuakAhv4fvZp/mOEvTfBYXXlcYkEEgaSSwujdCzBLn7eEdikpAs/5mfUXSVBFdzuKX6H3mmz1UQ8DhpQ== Authentication-Results: btinternet.com; auth=pass (PLAIN) smtp.auth=richard_c_haines@btinternet.com X-SNCR-Rigid: 5ED9B8A71F114956 X-Originating-IP: [109.148.52.251] X-OWM-Source-IP: 109.148.52.251 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgedujedrudelgedgkeelucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffoggfgsedtkeertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpeelteffgeevveejheevhfetgfeuveduteetuddtffdvjeekieetgeehveefjedtfeenucfkphepuddtledrudegkedrhedvrddvhedunecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpedutdelrddugeekrdehvddrvdehuddpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqpdhrtghpthhtohepoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqecuqfftvefrvfeprhhftgekvddvnehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmpdhrtghpthhtohepoehsvghlihhnuhigqdhrvghfphholhhitgihsehvghgvrhdrkhgvrhhnvghlrdhorhhgqe X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (109.148.52.251) by sa-prd-rgout-005.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com) id 5ED9B8A71F114956; Thu, 17 Dec 2020 16:42:54 +0000 From: Richard Haines To: selinux-refpolicy@vger.kernel.org Cc: Richard Haines Subject: [PATCH] Ensure correct monolithic binary policy is loaded Date: Thu, 17 Dec 2020 16:42:48 +0000 Message-Id: <20201217164248.17960-1-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.29.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org When building a monolithic policy with 'make load', the selinux_config(5) file 'SELINUXTYPE' entry determines what policy is loaded as load_policy(8) does not take a path value (it always loads the active system policy as defined by /etc/selinux/config). Currently it is possible to load the wrong binary policy, for example if the Reference Policy source is located at: /etc/selinux/refpolicy and the /etc/selinux/config file has the following entry: SELINUXTYPE=targeted Then the /etc/selinux/targeted/policy/policy. is loaded when 'make load' is executed. Another example is that if the Reference Policy source is located at: /tmp/custom-rootfs/refpolicy and the /etc/selinux/config file has the following entry: SELINUXTYPE=refpolicy Then the /etc/selinux/refpolicy/policy/policy. is loaded when 'make DESTDIR=/tmp/custom-rootfs load' is executed (not the /tmp/custom-rootfs/refpolicy/policy/policy. that the developer thought would be loaded). Resolve these issues by using sestatus(8) to resolve the policy root, then checking the selinux_config(5) file for the appropriate SELINUXTYPE entry. Remove the '@touch $(tmpdir)/load' line as the file is never referenced. Signed-off-by: Richard Haines --- Makefile | 1 + Rules.monolithic | 31 ++++++++++++++++++++++++++++--- 2 files changed, 29 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index 6ba215f1..88a5e78f 100644 --- a/Makefile +++ b/Makefile @@ -64,6 +64,7 @@ SEMOD_EXP ?= $(tc_usrbindir)/semodule_expand LOADPOLICY ?= $(tc_usrsbindir)/load_policy SEPOLGEN_IFGEN ?= $(tc_usrbindir)/sepolgen-ifgen SETFILES ?= $(tc_sbindir)/setfiles +SESTATUS ?= $(tc_sbindir)/sestatus XMLLINT ?= $(BINDIR)/xmllint SECHECK ?= $(BINDIR)/sechecker diff --git a/Rules.monolithic b/Rules.monolithic index a8ae98d1..01e445ca 100644 --- a/Rules.monolithic +++ b/Rules.monolithic @@ -42,6 +42,12 @@ vpath %.te $(all_layers) vpath %.if $(all_layers) vpath %.fc $(all_layers) +# load_policy(8) loads policy from //policy/policy. +# Therefore need to determine if policy to load is in the right place, +SELINUXDIR ?= $(strip $(shell $(SESTATUS) | $(AWK) '/^SELinux root directory:/{ print $$4 }')) +# and that /config contains the correct SELINUXTYPE entry. +SELINUXTYPE ?= $(strip $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' $(SELINUXDIR)/config)) + ######################################## # # default action: build policy locally @@ -91,9 +97,28 @@ endif # Load the binary policy # reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles) - @echo "Loading $(NAME) $(loadpath)" - $(verbose) $(LOADPOLICY) -q $(loadpath) - @touch $(tmpdir)/load +ifneq ($(SELINUXTYPE),$(NAME)) + $(eval NO_LOAD := $(shell echo 1)) + @echo + @echo "Warning: Cannot load policy as $(SELINUXDIR)/config file contains:" + @echo -e "\tSELINUXTYPE=$(SELINUXTYPE)" + @echo "Edit $(SELINUXDIR)/config and set \"SELINUXTYPE=$(NAME)\"." + @echo +endif + +ifneq ($(topdir),$(SELINUXDIR)) + $(eval NO_LOAD := $(shell echo 1)) + @echo + @echo "Warning: Cannot load policy as policy root MUST be $(SELINUXDIR)/$(NAME)" + @echo +endif + + @if test -z $(NO_LOAD); then \ + echo "Loading $(NAME) $(loadpath)" ;\ + $(verbose) $(LOADPOLICY) -q $(loadpath) ;\ + else \ + echo "Resolve binary policy configuration" ;\ + fi ######################################## # -- 2.29.2