Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp2167465pxu; Fri, 18 Dec 2020 07:05:14 -0800 (PST) X-Google-Smtp-Source: ABdhPJwWjt12mcAXiYf/G+Af3yqAbasWpGAYs26pgyE2+I7rjb4lP1tx5OVgn29uzoz4yGS3wQ6d X-Received: by 2002:aa7:dd05:: with SMTP id i5mr4788830edv.223.1608303914349; Fri, 18 Dec 2020 07:05:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608303914; cv=none; d=google.com; s=arc-20160816; b=CdOOQ0yPOb8OUMqT0ENGIIG66aw4dpGEhCAM1Ohb9LIHzBPW4qK78F1JG03mZSGtyT vT+i5cpOU0kRJSip4tHOZK5EZxShb+XszIiFGambAnNiPE6tJFYcV7S7cU9EThurEzpG ErTf1/XMo65YxbpDVoThWj0D9uKsyNSMtU2muHrw70VjNFoRIFtNaLofS6NlFuixwOWK AVRH0ajTrb4lGkymZMlBKLHdRHe6X8cAt4KeXTvg6uiIRBbmzYylk0xID7wJqghAU2BL HaplRjNSnVbk3CYuimgjRyCoRTgGOUTt8qohC1kchDNhNg+HPmzS+wVayJNQs6Yimfwm 42YQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=r2lW4DSBSQYpRLyzrO0hN734Gox2kS6p5ri1PYNiAKM=; b=jCxeaiHS5vM2Kbg5wTxFearaZ4J0mw3koMmezyNYD6aq0z5NLuzbBriFI9VlcB0F7B VLt6ynyuKKAtAbCoPQ2PD0YvqRzp/nhtKaRAag9xHloXLGX+2MJm5hGmFuUX3tq0wlLw r+4yMLWokuha/Nsw872oF7yTLRMxgu5hxGlUzZuaLotfT7lSpp416cq60FbqvcpMJgf0 6eM80G4JU0smKDZNFB2f3mXEBEj5qQmF3TH1wosKshvZMwZcxsDToH8OREyrlakeMIRm 1W5BOaWs7dbCs7+uaEfh3glKRd61p8wnwmkwe/2sp6aKUxwd3wXnu0n33Qlf16ozyycd 0cWg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@btinternet.com header.s=btmx201904 header.b=AwWCpauw; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=btinternet.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m17si4799215ejn.194.2020.12.18.07.05.06; Fri, 18 Dec 2020 07:05:14 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@btinternet.com header.s=btmx201904 header.b=AwWCpauw; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=btinternet.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731537AbgLRPD6 (ORCPT + 18 others); Fri, 18 Dec 2020 10:03:58 -0500 Received: from mailomta8-sa.btinternet.com ([213.120.69.14]:50312 "EHLO sa-prd-fep-043.btinternet.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1731518AbgLRPD4 (ORCPT ); Fri, 18 Dec 2020 10:03:56 -0500 Received: from sa-prd-rgout-004.btmx-prd.synchronoss.net ([10.2.38.7]) by sa-prd-fep-043.btinternet.com with ESMTP id <20201218150314.GRPJ15936.sa-prd-fep-043.btinternet.com@sa-prd-rgout-004.btmx-prd.synchronoss.net>; Fri, 18 Dec 2020 15:03:14 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1608303794; bh=r2lW4DSBSQYpRLyzrO0hN734Gox2kS6p5ri1PYNiAKM=; h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:MIME-Version; b=AwWCpauw1NtxQ0ctFDyLtjZZluHb2Jb5naHpSXwe4blf9ikkajReUA3NXZ9hIfTCw14etmARZosN4Q61Z7amK4O+yy/q6rr/ixCKJUl1Nbp9vm53pBvOKzwI3RO68EOP1dybMt0rlqbuRCn/g0+UZVGkG6ecLioa8DIWnzEbuv/IZJOWjavW9YG7KuM686q4ywww7S/lLvqBn9DRwzsB3I8rhnq3WWXyhR1gXZ+5UlzOqOn5HvcyrPIjEH3USTksu51tkYd4MtRvXLI9hJ4kufpVGyXP5ZffDmUs5vOoLpIc8Rnaw9/fwp8Q9hXjGyYe++/W3xy5Ny9Scls4fA/ztA== Authentication-Results: btinternet.com; auth=pass (PLAIN) smtp.auth=richard_c_haines@btinternet.com X-SNCR-Rigid: 5ED9B6611F312C9D X-Originating-IP: [86.143.184.136] X-OWM-Source-IP: 86.143.184.136 (GB) X-OWM-Env-Sender: richard_c_haines@btinternet.com X-VadeSecure-score: verdict=clean score=0/300, class=clean X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgedujedrudeliedgjeduucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffoggfgsedtkeertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpeelteffgeevveejheevhfetgfeuveduteetuddtffdvjeekieetgeehveefjedtfeenucfkphepkeeirddugeefrddukeegrddufeeinecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpeekiedrudegfedrudekgedrudefiedpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqpdhrtghpthhtohepoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqecuqfftvefrvfeprhhftgekvddvnehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmpdhrtghpthhtohepoehsvghlihhnuhigqdhrvghfphholhhitgihsehvghgvrhdrkhgvrhhnvghlrdhorhhgqe X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean X-SNCR-hdrdom: btinternet.com Received: from localhost.localdomain (86.143.184.136) by sa-prd-rgout-004.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com) id 5ED9B6611F312C9D; Fri, 18 Dec 2020 15:03:13 +0000 From: Richard Haines To: selinux-refpolicy@vger.kernel.org Cc: Richard Haines Subject: [PATCH V2] Ensure correct monolithic binary policy is loaded Date: Fri, 18 Dec 2020 15:03:07 +0000 Message-Id: <20201218150307.8826-1-richard_c_haines@btinternet.com> X-Mailer: git-send-email 2.29.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org When building a monolithic policy with 'make load', the selinux_config(5) file 'SELINUXTYPE' entry determines what policy is loaded as load_policy(8) does not take a path value (it always loads the active system policy as defined by /etc/selinux/config). Currently it is possible to load the wrong binary policy, for example if the Reference Policy source is located at: /etc/selinux/refpolicy and the /etc/selinux/config file has the following entry: SELINUXTYPE=targeted Then the /etc/selinux/targeted/policy/policy. is loaded when 'make load' is executed. Another example is that if the Reference Policy source is located at: /tmp/custom-rootfs/etc/selinux/refpolicy and the /etc/selinux/config file has the following entry: SELINUXTYPE=refpolicy Then the /etc/selinux/refpolicy/policy/policy. is loaded when 'make DESTDIR=/tmp/custom-rootfs load' is executed (not the /tmp/custom-rootfs/etc/selinux/refpolicy/policy/policy. that the developer thought would be loaded). Resolve these issues by using selinux_path(3) to resolve the policy root, then checking the selinux_config(5) file for the appropriate SELINUXTYPE entry. Remove the '@touch $(tmpdir)/load' line as the file is never referenced. Signed-off-by: Richard Haines --- V2 Changes: Use $(error .. instead of NO_LOAD logic. Use python script to find selinux path not sestatus. Reword error messages. Makefile | 1 + Rules.monolithic | 15 ++++++++++++++- support/selinux_path.py | 13 +++++++++++++ 3 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 support/selinux_path.py diff --git a/Makefile b/Makefile index 6ba215f1..e49d43d0 100644 --- a/Makefile +++ b/Makefile @@ -97,6 +97,7 @@ genxml := $(PYTHON) $(support)/segenxml.py gendoc := $(PYTHON) $(support)/sedoctool.py genperm := $(PYTHON) $(support)/genclassperms.py policyvers := $(PYTHON) $(support)/policyvers.py +selinux_path := $(PYTHON) $(support)/selinux_path.py fcsort := $(PYTHON) $(support)/fc_sort.py setbools := $(AWK) -f $(support)/set_bools_tuns.awk get_type_attr_decl := $(SED) -r -f $(support)/get_type_attr_decl.sed diff --git a/Rules.monolithic b/Rules.monolithic index a8ae98d1..cd065362 100644 --- a/Rules.monolithic +++ b/Rules.monolithic @@ -42,6 +42,12 @@ vpath %.te $(all_layers) vpath %.if $(all_layers) vpath %.fc $(all_layers) +# load_policy(8) loads policy from //policy/policy. +# It does this by reading the /config file and using the +# SELINUX_PATH/SELINUXTYPE entries to form the initial path. +SELINUX_PATH := $(shell $(selinux_path)) +SELINUXTYPE := $(strip $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' $(SELINUX_PATH)/config)) + ######################################## # # default action: build policy locally @@ -91,9 +97,16 @@ endif # Load the binary policy # reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles) +ifneq ($(SELINUXTYPE),$(NAME)) + $(error Cannot load policy as $(SELINUX_PATH)/config file contains SELINUXTYPE=$(SELINUXTYPE) - \ + Edit $(SELINUX_PATH)/config and set "SELINUXTYPE=$(NAME)") +endif +ifneq ($(topdir),$(SELINUX_PATH)) + $(error Cannot load policy as policy root MUST be $(SELINUX_PATH)/$(NAME) - \ + Current policy root is: $(topdir)/$(NAME)) +endif @echo "Loading $(NAME) $(loadpath)" $(verbose) $(LOADPOLICY) -q $(loadpath) - @touch $(tmpdir)/load ######################################## # diff --git a/support/selinux_path.py b/support/selinux_path.py new file mode 100644 index 00000000..b663ff09 --- /dev/null +++ b/support/selinux_path.py @@ -0,0 +1,13 @@ +#!/usr/bin/env python3 + +try: + import warnings + with warnings.catch_warnings(): + warnings.filterwarnings("ignore", category=PendingDeprecationWarning) + import selinux + + if selinux.is_selinux_enabled(): + # Strip the trailing '/' + print(selinux.selinux_path()[:-1]) +except ImportError: + exit(0) -- 2.29.2