From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <selinux-refpolicy-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-18.7 required=3.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,
	INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,
	USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id D4538C4361B
	for <selinux-refpolicy@archiver.kernel.org>; Thu, 17 Dec 2020 16:43:57 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id A299523884
	for <selinux-refpolicy@archiver.kernel.org>; Thu, 17 Dec 2020 16:43:57 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727185AbgLQQnh (ORCPT
        <rfc822;selinux-refpolicy@archiver.kernel.org>);
        Thu, 17 Dec 2020 11:43:37 -0500
Received: from mailomta7-sa.btinternet.com ([213.120.69.13]:21995 "EHLO
        sa-prd-fep-045.btinternet.com" rhost-flags-OK-OK-OK-FAIL)
        by vger.kernel.org with ESMTP id S1728080AbgLQQng (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Thu, 17 Dec 2020 11:43:36 -0500
Received: from sa-prd-rgout-005.btmx-prd.synchronoss.net ([10.2.38.8])
          by sa-prd-fep-045.btinternet.com with ESMTP
          id <20201217164254.CKSY32244.sa-prd-fep-045.btinternet.com@sa-prd-rgout-005.btmx-prd.synchronoss.net>;
          Thu, 17 Dec 2020 16:42:54 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com; s=btmx201904; t=1608223374; 
        bh=WJMSidpFFu1VxUpQj8Xosw/mqGeDsA9IjOCH0S+OlRQ=;
        h=From:To:Cc:Subject:Date:Message-Id:X-Mailer:MIME-Version;
        b=sMDo6jdgr/ygM0ebiAdp+0RV8gY9JZqKXf3deLxLPJVO8v1fwY6PmB4RbAFH5Ve/HKaKLQ9ylTrt56uHsPWg7cI+LsOt6I35wPrcVwPjgZjxeYj783rUaZKfPMVHroyDOHXmVeZV1i7/Dfw1S2LEsxqNPFpfqQaZQ4GV19Nb3e0flnVxE/N/R/tIKXJOW29UdiLHKC1Vth6b9epCrixSGIMEy8LZBHxoTTQ8TuFi2mr8zYCLaRZsdjq3gI31GhZTH+gip2HuakAhv4fvZp/mOEvTfBYXXlcYkEEgaSSwujdCzBLn7eEdikpAs/5mfUXSVBFdzuKX6H3mmz1UQ8DhpQ==
Authentication-Results: btinternet.com;
    auth=pass (PLAIN) smtp.auth=richard_c_haines@btinternet.com
X-SNCR-Rigid: 5ED9B8A71F114956
X-Originating-IP: [109.148.52.251]
X-OWM-Source-IP: 109.148.52.251 (GB)
X-OWM-Env-Sender: richard_c_haines@btinternet.com
X-VadeSecure-score: verdict=clean score=0/300, class=clean
X-RazorGate-Vade: gggruggvucftvghtrhhoucdtuddrgedujedrudelgedgkeelucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuueftkffvkffujffvgffngfevqffopdfqfgfvnecuuegrihhlohhuthemuceftddunecunecujfgurhephffvufffkffoggfgsedtkeertdertddtnecuhfhrohhmpeftihgthhgrrhguucfjrghinhgvshcuoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqeenucggtffrrghtthgvrhhnpeelteffgeevveejheevhfetgfeuveduteetuddtffdvjeekieetgeehveefjedtfeenucfkphepuddtledrudegkedrhedvrddvhedunecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghloheplhhotggrlhhhohhsthdrlhhotggrlhguohhmrghinhdpihhnvghtpedutdelrddugeekrdehvddrvdehuddpmhgrihhlfhhrohhmpeeorhhitghhrghruggptggphhgrihhnvghssegsthhinhhtvghrnhgvthdrtghomheqpdhrtghpthhtohepoehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmqecuqfftvefrvfeprhhftgekvddvnehrihgthhgrrhgupggtpghhrghinhgvshessghtihhnthgvrhhnvghtrdgtohhmpdhrtghpthhtohepoehsvghlihhnuhigqdhrvghfphholhhitgihsehvghgvrhdrkhgvrhhnvghlrdhorhhgqe
X-RazorGate-Vade-Verdict: clean 0
X-RazorGate-Vade-Classification: clean
X-SNCR-hdrdom: btinternet.com
Received: from localhost.localdomain (109.148.52.251) by sa-prd-rgout-005.btmx-prd.synchronoss.net (5.8.340) (authenticated as richard_c_haines@btinternet.com)
        id 5ED9B8A71F114956; Thu, 17 Dec 2020 16:42:54 +0000
From:   Richard Haines <richard_c_haines@btinternet.com>
To:     selinux-refpolicy@vger.kernel.org
Cc:     Richard Haines <richard_c_haines@btinternet.com>
Subject: [PATCH] Ensure correct monolithic binary policy is loaded
Date:   Thu, 17 Dec 2020 16:42:48 +0000
Message-Id: <20201217164248.17960-1-richard_c_haines@btinternet.com>
X-Mailer: git-send-email 2.29.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

When building a monolithic policy with 'make load', the
selinux_config(5) file 'SELINUXTYPE' entry determines what policy
is loaded as load_policy(8) does not take a path value (it always loads
the active system policy as defined by /etc/selinux/config).

Currently it is possible to load the wrong binary policy, for example if
the Reference Policy source is located at:
/etc/selinux/refpolicy
and the /etc/selinux/config file has the following entry:
SELINUXTYPE=targeted
Then the /etc/selinux/targeted/policy/policy.<ver> is loaded when
'make load' is executed.

Another example is that if the Reference Policy source is located at:
/tmp/custom-rootfs/refpolicy
and the /etc/selinux/config file has the following entry:
SELINUXTYPE=refpolicy
Then the /etc/selinux/refpolicy/policy/policy.<ver> is loaded when
'make DESTDIR=/tmp/custom-rootfs load' is executed (not the
/tmp/custom-rootfs/refpolicy/policy/policy.<ver> that the developer
thought would be loaded).

Resolve these issues by using sestatus(8) to resolve the policy root, then
checking the selinux_config(5) file for the appropriate SELINUXTYPE entry.

Remove the '@touch $(tmpdir)/load' line as the file is never referenced.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
 Makefile         |  1 +
 Rules.monolithic | 31 ++++++++++++++++++++++++++++---
 2 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/Makefile b/Makefile
index 6ba215f1..88a5e78f 100644
--- a/Makefile
+++ b/Makefile
@@ -64,6 +64,7 @@ SEMOD_EXP ?= $(tc_usrbindir)/semodule_expand
 LOADPOLICY ?= $(tc_usrsbindir)/load_policy
 SEPOLGEN_IFGEN ?= $(tc_usrbindir)/sepolgen-ifgen
 SETFILES ?= $(tc_sbindir)/setfiles
+SESTATUS ?= $(tc_sbindir)/sestatus
 XMLLINT ?= $(BINDIR)/xmllint
 SECHECK ?= $(BINDIR)/sechecker
 
diff --git a/Rules.monolithic b/Rules.monolithic
index a8ae98d1..01e445ca 100644
--- a/Rules.monolithic
+++ b/Rules.monolithic
@@ -42,6 +42,12 @@ vpath %.te $(all_layers)
 vpath %.if $(all_layers)
 vpath %.fc $(all_layers)
 
+# load_policy(8) loads policy from <SELINUXDIR>/<SELINUXTYPE>/policy/policy.<ver>
+# Therefore need to determine if policy to load is in the right place,
+SELINUXDIR ?= $(strip $(shell $(SESTATUS) | $(AWK) '/^SELinux root directory:/{ print $$4 }'))
+# and that <SELINUXDIR>/config contains the correct SELINUXTYPE entry.
+SELINUXTYPE ?= $(strip $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' $(SELINUXDIR)/config))
+
 ########################################
 #
 # default action: build policy locally
@@ -91,9 +97,28 @@ endif
 # Load the binary policy
 #
 reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles)
-	@echo "Loading $(NAME) $(loadpath)"
-	$(verbose) $(LOADPOLICY) -q $(loadpath)
-	@touch $(tmpdir)/load
+ifneq ($(SELINUXTYPE),$(NAME))
+	$(eval NO_LOAD := $(shell echo 1))
+	@echo
+	@echo "Warning: Cannot load policy as $(SELINUXDIR)/config file contains:"
+	@echo -e "\tSELINUXTYPE=$(SELINUXTYPE)"
+	@echo "Edit $(SELINUXDIR)/config and set \"SELINUXTYPE=$(NAME)\"."
+	@echo
+endif
+
+ifneq ($(topdir),$(SELINUXDIR))
+	$(eval NO_LOAD := $(shell echo 1))
+	@echo
+	@echo "Warning: Cannot load policy as policy root MUST be $(SELINUXDIR)/$(NAME)"
+	@echo
+endif
+
+	@if test -z $(NO_LOAD); then \
+		echo "Loading $(NAME) $(loadpath)" ;\
+		$(verbose) $(LOADPOLICY) -q $(loadpath) ;\
+	else \
+		echo "Resolve binary policy configuration" ;\
+	fi
 
 ########################################
 #
-- 
2.29.2