Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp418354pxb; Wed, 13 Jan 2021 06:57:43 -0800 (PST) X-Google-Smtp-Source: ABdhPJxb2zYH0gbc5NknXn9wycfC8Mvo/NqFSYGmo3SOOWp+td+GVpFhQp6dtN67dEecsWZzFpqZ X-Received: by 2002:a17:906:fa9a:: with SMTP id lt26mr1855137ejb.439.1610549863276; Wed, 13 Jan 2021 06:57:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610549863; cv=none; d=google.com; s=arc-20160816; b=OSQ58At8RptsHVjQGScqbzJfeHI8Gay3D3w9fNfZ8jJImdmDXpe9jUeTq47/D5KT3z XbyCm3KXfEMKXg30h/k3EDQ9IVpr0r6F9sdpIx2MWjyIiSGMXD4xhkPqXb0kqlAlMGgW uHPuktEJi1IiKsgfxAtcMxNusvHCH8KdGeGJNKLv8s/8JcC4ae1qPIV9Vg6BytWFbm+/ Ugc3ngV4xuCZ0tRjBXCZfC2ARYM437GfzLT6lzK8xHy0OmvpLHY3FbxgUITei/IPPm8i SmutHJ/qSIfkg8EHdG7+F1PxtZOIDQ9KayiJrlgSvT2YmtiDjqInuwY1+ORDa1rV0Y4A /xAg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :to:subject:dkim-signature; bh=bs5TGZ91hVmpPi4ParSoKi/IWvWxF68UCL6FnQ45b+o=; b=Sj9d/pccE9ZK+rHYioBk0BNjNriuG9wie5MjthxcG3hAx7VgQ5KDHUVaCCsN+eVlKI lYyzg8/GvUJrEpg1Ytt/N7A+immJZc4pydS/tXG3Eo3cj28kMktTD6coa+BOAcJiaL69 sM5g0UWZMEBkMHEflkyhXnK8bk2avol4pRN9L5/5VQu04yynQgaKvBOV8Z0wfqORqn/p w8r+6QvewTt6CSGj1Mfd7JWwcXyQekQe1oGezc4yBlhMaR0uktHj8WCyvX0RKP0Tvb1v 4ifOs8QPrDuaZrNMl+AFz+20VXtrSk1+gW0Dy1wBC0+PW5z2z7vqF8zAdto8NZKwxHrA +auA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=WNSm2n2s; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r11si1135308edo.565.2021.01.13.06.57.37; Wed, 13 Jan 2021 06:57:43 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=WNSm2n2s; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726812AbhAMO5f (ORCPT + 18 others); Wed, 13 Jan 2021 09:57:35 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43056 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726792AbhAMO5e (ORCPT ); Wed, 13 Jan 2021 09:57:34 -0500 Received: from mail-io1-xd29.google.com (mail-io1-xd29.google.com [IPv6:2607:f8b0:4864:20::d29]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9300BC061575 for ; Wed, 13 Jan 2021 06:56:54 -0800 (PST) Received: by mail-io1-xd29.google.com with SMTP id e22so4646245iom.5 for ; Wed, 13 Jan 2021 06:56:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=bs5TGZ91hVmpPi4ParSoKi/IWvWxF68UCL6FnQ45b+o=; b=WNSm2n2sX2K3UnqeCmQ3LH58a5WWj0XH0A3ukQtQbMcQ1dqTe9Ha6bNnwp8SLu8jNc oxhfFuLShNKb9YqLVHiHTDbBgpl0Y52C0pvNXuoPwnBdtuIcKcEGBrJn7fPCWssC4a72 IulPQC9UXrK4eQ4alGCgi3v+GOqvbgY6LJ0zI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=bs5TGZ91hVmpPi4ParSoKi/IWvWxF68UCL6FnQ45b+o=; b=UZfmVP4LfhMTxZIOXsnyz/p1qR+YNMdq9OPOnR/pnZDVqXhqy7ic7ReKHLhFeuKqLo wrw8oH22zwET4w+sCd9BeBUFxffWOvOghyxJGbKvA6IBuRwgubi33EHWXmMmOEMR6cm3 LQLe3KncGjwmEyz2uP4oCGdQZRkCKpWtrDom3D3KSNc07OstgiMbKx+eH1Zv1mdJMjOA 6Db+GAT9iM5HhpZjHgv9Ae9uHeWcjAxWKacMIkuKViC5AKxJ9ie8NdJPXIiDQJx9V9gw WfQv9lr2chZjGYtevAX4kAyiZ6BBxA/Bk9f4zWa90PdArucZXpq/8yuSvhWbpAgU6fyp mkpw== X-Gm-Message-State: AOAM531Yc9R04VgRcKX5BO8jpdWcSJ1N5W3gq2qlNAOEMiW49ao4eCdX YXEKd3eTS/qTkNl3bqsHU/JhrtGn+biVSw== X-Received: by 2002:a05:6e02:1a6d:: with SMTP id w13mr933660ilv.181.1610549813605; Wed, 13 Jan 2021 06:56:53 -0800 (PST) Received: from fedora.pebenito.net (pool-96-234-173-17.bltmmd.fios.verizon.net. [96.234.173.17]) by smtp.gmail.com with ESMTPSA id w2sm1291505ioa.46.2021.01.13.06.56.52 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 13 Jan 2021 06:56:52 -0800 (PST) Subject: Re: [PATCH V3] Ensure correct monolithic binary policy is loaded To: Richard Haines , selinux-refpolicy@vger.kernel.org References: <20201221122213.11643-1-richard_c_haines@btinternet.com> From: Chris PeBenito Message-ID: <3d7cae1e-943f-d857-b9b3-89c1d773362e@ieee.org> Date: Wed, 13 Jan 2021 09:56:51 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0 MIME-Version: 1.0 In-Reply-To: <20201221122213.11643-1-richard_c_haines@btinternet.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 12/21/20 7:22 AM, Richard Haines wrote: > When building a monolithic policy with 'make load', the > selinux_config(5) file 'SELINUXTYPE' entry determines what policy > is loaded as load_policy(8) does not take a path value (it always loads > the active system policy as defined by /etc/selinux/config). > > Currently it is possible to load the wrong binary policy, for example if > the Reference Policy source is located at: > /etc/selinux/refpolicy > and the /etc/selinux/config file has the following entry: > SELINUXTYPE=targeted > Then the /etc/selinux/targeted/policy/policy. is loaded when > 'make load' is executed. > Resolve this by using selinux_binary_policy_path(3) to determine the > current configured policy name and its location. > > Another example is that if the Reference Policy source is located at: > /tmp/custom-rootfs/etc/selinux/refpolicy > and the /etc/selinux/config file has the following entry: > SELINUXTYPE=refpolicy > Then the /etc/selinux/refpolicy/policy/policy. is loaded when > 'make DESTDIR=/tmp/custom-rootfs load' is executed (not the > /tmp/custom-rootfs/etc/selinux/refpolicy/policy/policy. that the > developer thought would be loaded). > Resolve this by checking if DESTDIR has been set. > > Remove the '@touch $(tmpdir)/load' line as the file is never referenced. > > Signed-off-by: Richard Haines > --- > V2 Changes: Use $(error .. instead of NO_LOAD logic. Use python script to > find selinux path not sestatus. Reword error messages. > V3 Change: Use the selinux_binary_policy_path() python script and reword > error messages. > > Makefile | 1 + > Rules.monolithic | 15 ++++++++++++++- > support/selinux_binary_policy_path.py | 12 ++++++++++++ > 3 files changed, 27 insertions(+), 1 deletion(-) > create mode 100644 support/selinux_binary_policy_path.py > > diff --git a/Makefile b/Makefile > index 6ba215f1..1b0a4826 100644 > --- a/Makefile > +++ b/Makefile > @@ -97,6 +97,7 @@ genxml := $(PYTHON) $(support)/segenxml.py > gendoc := $(PYTHON) $(support)/sedoctool.py > genperm := $(PYTHON) $(support)/genclassperms.py > policyvers := $(PYTHON) $(support)/policyvers.py > +binary_policy_path := $(PYTHON) $(support)/selinux_binary_policy_path.py > fcsort := $(PYTHON) $(support)/fc_sort.py > setbools := $(AWK) -f $(support)/set_bools_tuns.awk > get_type_attr_decl := $(SED) -r -f $(support)/get_type_attr_decl.sed > diff --git a/Rules.monolithic b/Rules.monolithic > index a8ae98d1..7dbc2e1c 100644 > --- a/Rules.monolithic > +++ b/Rules.monolithic > @@ -13,6 +13,12 @@ ifeq "$(kv)" "" > kv := $(pv) > endif > > +# load_policy(8) loads policy from /etc/selinux//policy/policy.$(pv) > +# It does this by reading the /etc/selinux/config file SELINUXTYPE entry to > +# form the full path. $(polbinpath) will contain this evaluated path for use as > +# a validation check. > +polbinpath := $(shell $(binary_policy_path)) > + > policy_conf = $(builddir)policy.conf > fc = $(builddir)file_contexts > polver = $(builddir)policy.$(pv) > @@ -91,9 +97,16 @@ endif > # Load the binary policy > # > reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles) > +ifneq ($(DESTDIR),) > + $(error Cannot load policy as '$$DESTDIR' is set to $(DESTDIR), \ > + creating an invalid policy load path) > +endif > +ifneq ($(polbinpath).$(pv),$(loadpath)) > + $(error Cannot load policy as invalid policy path: $(polbinpath).$(pv) - \ > + Check $(topdir)/config file entry is: "SELINUXTYPE=$(NAME)") > +endif > @echo "Loading $(NAME) $(loadpath)" > $(verbose) $(LOADPOLICY) -q $(loadpath) > - @touch $(tmpdir)/load > > ######################################## > # > diff --git a/support/selinux_binary_policy_path.py b/support/selinux_binary_policy_path.py > new file mode 100644 > index 00000000..a30eb9b6 > --- /dev/null > +++ b/support/selinux_binary_policy_path.py > @@ -0,0 +1,12 @@ > +#!/usr/bin/env python3 > + > +try: > + import warnings > + with warnings.catch_warnings(): > + warnings.filterwarnings("ignore", category=PendingDeprecationWarning) > + import selinux > + > + if selinux.is_selinux_enabled(): > + print(selinux.selinux_binary_policy_path()) > +except ImportError: > + exit(0) Merged, sorry for the slow response. -- Chris PeBenito