2013-05-28 09:28:50

by Qingtao Cao

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/1] Remove the hard-coding of selinuxfs mountpoint

Remove the hard-coding of selinuxfs mountpoint in Rules.monolithic,
especially since it has been relocated to /sys/fs/.

Signed-off-by: Qingtao Cao <[email protected]>
---
Rules.monolithic | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Rules.monolithic b/Rules.monolithic
index 7c4d035..acac675 100644
--- a/Rules.monolithic
+++ b/Rules.monolithic
@@ -5,7 +5,8 @@

# determine the policy version and current kernel version if possible
pv := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ')
-kv := $(shell cat /selinux/policyvers)
+selinuxfs_mnt = $(shell mount | grep selinuxfs | cut -f 3 -d ' ')
+kv := $(shell cat $(selinuxfs_mnt)/policyvers)

# dont print version warnings if we are unable to determine
# the currently running kernel's policy version
--
1.8.1.4


2013-06-05 17:35:29

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/1] Remove the hard-coding of selinuxfs mountpoint

On 05/28/13 05:28, Qingtao Cao wrote:
> Remove the hard-coding of selinuxfs mountpoint in Rules.monolithic,
> especially since it has been relocated to /sys/fs/.
>
> Signed-off-by: Qingtao Cao <[email protected]>
> ---
> Rules.monolithic | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/Rules.monolithic b/Rules.monolithic
> index 7c4d035..acac675 100644
> --- a/Rules.monolithic
> +++ b/Rules.monolithic
> @@ -5,7 +5,8 @@
>
> # determine the policy version and current kernel version if possible
> pv := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ')
> -kv := $(shell cat /selinux/policyvers)
> +selinuxfs_mnt = $(shell mount | grep selinuxfs | cut -f 3 -d ' ')
> +kv := $(shell cat $(selinuxfs_mnt)/policyvers)
>
> # dont print version warnings if we are unable to determine
> # the currently running kernel's policy version

I'd like to do something like this, but I don't think this way is the best, as Gentoo, for example, has two mounts of selinuxfs (in /sys/fs/ and / for compat). It seems like updating the selinuxconfig tool would be best, but Fedora doesn't include it. We might have to grep it from sestatus output. Or we could update the libselinux swig wrapper to export selinux_mnt, so we could use a python script to find the mount point.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2013-06-06 04:29:44

by Qingtao Cao

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/1] Remove the hard-coding of selinuxfs mountpoint

Thanks Chris for your comments! Please check out the revised version that
uses sestatus.

Now that the "selinux_mnt" string is initialized by libselinux and sestatus
has printed it out anyway, it would be relatively easier to mainpulate
sestatus result than touching the libselinux swig wrapper and writing a
relevant python.

Thanks,
Harry



On Thu, Jun 6, 2013 at 1:35 AM, Christopher J. PeBenito <
[email protected]> wrote:

> On 05/28/13 05:28, Qingtao Cao wrote:
> > Remove the hard-coding of selinuxfs mountpoint in Rules.monolithic,
> > especially since it has been relocated to /sys/fs/.
> >
> > Signed-off-by: Qingtao Cao <[email protected]>
> > ---
> > Rules.monolithic | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/Rules.monolithic b/Rules.monolithic
> > index 7c4d035..acac675 100644
> > --- a/Rules.monolithic
> > +++ b/Rules.monolithic
> > @@ -5,7 +5,8 @@
> >
> > # determine the policy version and current kernel version if possible
> > pv := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ')
> > -kv := $(shell cat /selinux/policyvers)
> > +selinuxfs_mnt = $(shell mount | grep selinuxfs | cut -f 3 -d ' ')
> > +kv := $(shell cat $(selinuxfs_mnt)/policyvers)
> >
> > # dont print version warnings if we are unable to determine
> > # the currently running kernel's policy version
>
> I'd like to do something like this, but I don't think this way is the
> best, as Gentoo, for example, has two mounts of selinuxfs (in /sys/fs/ and
> / for compat). It seems like updating the selinuxconfig tool would be
> best, but Fedora doesn't include it. We might have to grep it from
> sestatus output. Or we could update the libselinux swig wrapper to export
> selinux_mnt, so we could use a python script to find the mount point.
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> http://www.tresys.com | oss.tresys.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20130606/4e1c971f/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Remove-the-hard-coding-of-selinuxfs-mountpoint.patch
Type: application/octet-stream
Size: 1087 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20130606/4e1c971f/attachment.obj

2013-06-06 13:29:58

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/1] Remove the hard-coding of selinuxfs mountpoint

On 06/06/13 00:29, Qingtao Cao wrote:
> Thanks Chris for your comments! Please check out the revised version that uses sestatus.
>
> Now that the "selinux_mnt" string is initialized by libselinux and sestatus has printed it out anyway, it would be relatively easier to mainpulate sestatus result than touching the libselinux swig wrapper and writing a relevant python.

On second thought, since we only care about the selinuxfs location because we want the policy version, we can just use the python bindings to get the policy version and then not care about selinuxfs. I committed a patch that does this.


> On Thu, Jun 6, 2013 at 1:35 AM, Christopher J. PeBenito <cpebenito at tresys.com <mailto:[email protected]>> wrote:
>
> On 05/28/13 05:28, Qingtao Cao wrote:
> > Remove the hard-coding of selinuxfs mountpoint in Rules.monolithic,
> > especially since it has been relocated to /sys/fs/.
> >
> > Signed-off-by: Qingtao Cao <qingtao.cao.au at gmail.com <mailto:[email protected]>>
> > ---
> > Rules.monolithic | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/Rules.monolithic b/Rules.monolithic
> > index 7c4d035..acac675 100644
> > --- a/Rules.monolithic
> > +++ b/Rules.monolithic
> > @@ -5,7 +5,8 @@
> >
> > # determine the policy version and current kernel version if possible
> > pv := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ')
> > -kv := $(shell cat /selinux/policyvers)
> > +selinuxfs_mnt = $(shell mount | grep selinuxfs | cut -f 3 -d ' ')
> > +kv := $(shell cat $(selinuxfs_mnt)/policyvers)
> >
> > # dont print version warnings if we are unable to determine
> > # the currently running kernel's policy version
>
> I'd like to do something like this, but I don't think this way is the best, as Gentoo, for example, has two mounts of selinuxfs (in /sys/fs/ and / for compat). It seems like updating the selinuxconfig tool would be best, but Fedora doesn't include it. We might have to grep it from sestatus output. Or we could update the libselinux swig wrapper to export selinux_mnt, so we could use a python script to find the mount point.
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> http://www.tresys.com <http://www.tresys.com> | oss.tresys.com <http://oss.tresys.com>
>
>


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2013-06-07 06:35:54

by Qingtao Cao

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/1] Remove the hard-coding of selinuxfs mountpoint

Thanks Chris! Your commit sure looks much elegant than mine :-)

Cheers,
Harry


On Thu, Jun 6, 2013 at 9:29 PM, Christopher J. PeBenito <
[email protected]> wrote:

> On 06/06/13 00:29, Qingtao Cao wrote:
> > Thanks Chris for your comments! Please check out the revised version
> that uses sestatus.
> >
> > Now that the "selinux_mnt" string is initialized by libselinux and
> sestatus has printed it out anyway, it would be relatively easier to
> mainpulate sestatus result than touching the libselinux swig wrapper and
> writing a relevant python.
>
> On second thought, since we only care about the selinuxfs location because
> we want the policy version, we can just use the python bindings to get the
> policy version and then not care about selinuxfs. I committed a patch that
> does this.
>
>
> > On Thu, Jun 6, 2013 at 1:35 AM, Christopher J. PeBenito <
> cpebenito at tresys.com <mailto:[email protected]>> wrote:
> >
> > On 05/28/13 05:28, Qingtao Cao wrote:
> > > Remove the hard-coding of selinuxfs mountpoint in Rules.monolithic,
> > > especially since it has been relocated to /sys/fs/.
> > >
> > > Signed-off-by: Qingtao Cao <[email protected] <mailto:
> qingtao.cao.au at gmail.com>>
> > > ---
> > > Rules.monolithic | 3 ++-
> > > 1 file changed, 2 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/Rules.monolithic b/Rules.monolithic
> > > index 7c4d035..acac675 100644
> > > --- a/Rules.monolithic
> > > +++ b/Rules.monolithic
> > > @@ -5,7 +5,8 @@
> > >
> > > # determine the policy version and current kernel version if
> possible
> > > pv := $(shell $(CHECKPOLICY) -V |cut -f 1 -d ' ')
> > > -kv := $(shell cat /selinux/policyvers)
> > > +selinuxfs_mnt = $(shell mount | grep selinuxfs | cut -f 3 -d ' ')
> > > +kv := $(shell cat $(selinuxfs_mnt)/policyvers)
> > >
> > > # dont print version warnings if we are unable to determine
> > > # the currently running kernel's policy version
> >
> > I'd like to do something like this, but I don't think this way is
> the best, as Gentoo, for example, has two mounts of selinuxfs (in /sys/fs/
> and / for compat). It seems like updating the selinuxconfig tool would be
> best, but Fedora doesn't include it. We might have to grep it from
> sestatus output. Or we could update the libselinux swig wrapper to export
> selinux_mnt, so we could use a python script to find the mount point.
> >
> > --
> > Chris PeBenito
> > Tresys Technology, LLC
> > http://www.tresys.com <http://www.tresys.com> | oss.tresys.com <
> http://oss.tresys.com>
> >
> >
>
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> http://www.tresys.com | oss.tresys.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20130607/f7ff613a/attachment.html