From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-17.3 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,NICE_REPLY_A, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8D836C4361B for ; Sat, 19 Dec 2020 20:50:39 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 4626D223DB for ; Sat, 19 Dec 2020 20:50:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726385AbgLSUuX (ORCPT ); Sat, 19 Dec 2020 15:50:23 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55904 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726357AbgLSUuX (ORCPT ); Sat, 19 Dec 2020 15:50:23 -0500 Received: from mail-qv1-xf2a.google.com (mail-qv1-xf2a.google.com [IPv6:2607:f8b0:4864:20::f2a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CE29AC0617B0 for ; Sat, 19 Dec 2020 12:49:42 -0800 (PST) Received: by mail-qv1-xf2a.google.com with SMTP id a4so2374801qvd.12 for ; Sat, 19 Dec 2020 12:49:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=GjBj1I0AoznMqorzVigUaeZijTWvlgWEngl95acPByM=; b=ghW7g8ULv/SkUoDK/kYnSA67K7HHvDgPmUF0sl5JlBLMLHy6fS4Eg8DwWgitDo9uox sqU9fAS+dYGXia6+R/ICiAMhjK9U1PsfuSSI6y6gdBCJSTuXhPV/xCgH0dLL72DJerUY +xk6yx0KVd2HSi6XUK6WhJgXLSO2XzRKPIqf4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=GjBj1I0AoznMqorzVigUaeZijTWvlgWEngl95acPByM=; b=N/H3KC7HQg91e59WmkQIxfwNFxkJi/TtmtKj6nGopu03ARuviU6Y6KNoXcD3Fzd5j6 Rhp2A0bLMazeKHf4K2hpCFxYpawFTnzIz1bd+Y2gCrs6hOAOWs5O84vsfO5vXgQ/XoE5 ColI3CCz2cP5sT+Nk6CIdaYsr+H6eAr5o7xQiPP97yjWska3jslN4Himd75LJC5zLP7a Eqpm4Fra0NzlgDAxgEm2x2lLit+dUk1DyE+/xHb3UFAeKTDZVUoxD//G9CDEn9CAyTS5 YFLxhfEg4CUNuxR5srkuNsWrubqcG1WnKnMOgzvfNuzmPmt4Vg+iCthhQRqb/QseR/ZD nSHQ== X-Gm-Message-State: AOAM5334An7JOs/x4PYpQccC2Q/leXy9srqdo/7whW9MVbwbEnGoKYs1 dSOu1pReni4BXPNNja4Vmw499wdSnrK0Ww== X-Google-Smtp-Source: ABdhPJwSTADEiYub1Ia4h77FeF2YC6qM5LGW3Kbkanj0axlaC+QExAeOAMvDRDEC9/KAUlWT+w3fyQ== X-Received: by 2002:a0c:f7c5:: with SMTP id f5mr11347979qvo.33.1608410981694; Sat, 19 Dec 2020 12:49:41 -0800 (PST) Received: from fedora.pebenito.net (pool-96-234-173-17.bltmmd.fios.verizon.net. [96.234.173.17]) by smtp.gmail.com with ESMTPSA id f19sm6748780qta.80.2020.12.19.12.49.41 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 19 Dec 2020 12:49:41 -0800 (PST) Subject: Re: [PATCH V2] Ensure correct monolithic binary policy is loaded To: Richard Haines , selinux-refpolicy@vger.kernel.org References: <20201218150307.8826-1-richard_c_haines@btinternet.com> From: Chris PeBenito Message-ID: <76cca0f9-5506-6590-cf05-874ae1b8fde1@ieee.org> Date: Sat, 19 Dec 2020 15:49:40 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.5.0 MIME-Version: 1.0 In-Reply-To: <20201218150307.8826-1-richard_c_haines@btinternet.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 12/18/20 10:03 AM, Richard Haines wrote: > When building a monolithic policy with 'make load', the > selinux_config(5) file 'SELINUXTYPE' entry determines what policy > is loaded as load_policy(8) does not take a path value (it always loads > the active system policy as defined by /etc/selinux/config). > > Currently it is possible to load the wrong binary policy, for example if > the Reference Policy source is located at: > /etc/selinux/refpolicy > and the /etc/selinux/config file has the following entry: > SELINUXTYPE=targeted > Then the /etc/selinux/targeted/policy/policy. is loaded when > 'make load' is executed. > > Another example is that if the Reference Policy source is located at: > /tmp/custom-rootfs/etc/selinux/refpolicy > and the /etc/selinux/config file has the following entry: > SELINUXTYPE=refpolicy > Then the /etc/selinux/refpolicy/policy/policy. is loaded when > 'make DESTDIR=/tmp/custom-rootfs load' is executed (not the > /tmp/custom-rootfs/etc/selinux/refpolicy/policy/policy. that the > developer thought would be loaded). > > Resolve these issues by using selinux_path(3) to resolve the policy root, > then checking the selinux_config(5) file for the appropriate SELINUXTYPE > entry. > > Remove the '@touch $(tmpdir)/load' line as the file is never referenced. > > Signed-off-by: Richard Haines > --- > V2 Changes: Use $(error .. instead of NO_LOAD logic. Use python script to > find selinux path not sestatus. Reword error messages. > > Makefile | 1 + > Rules.monolithic | 15 ++++++++++++++- > support/selinux_path.py | 13 +++++++++++++ > 3 files changed, 28 insertions(+), 1 deletion(-) > create mode 100644 support/selinux_path.py > > diff --git a/Makefile b/Makefile > index 6ba215f1..e49d43d0 100644 > --- a/Makefile > +++ b/Makefile > @@ -97,6 +97,7 @@ genxml := $(PYTHON) $(support)/segenxml.py > gendoc := $(PYTHON) $(support)/sedoctool.py > genperm := $(PYTHON) $(support)/genclassperms.py > policyvers := $(PYTHON) $(support)/policyvers.py > +selinux_path := $(PYTHON) $(support)/selinux_path.py > fcsort := $(PYTHON) $(support)/fc_sort.py > setbools := $(AWK) -f $(support)/set_bools_tuns.awk > get_type_attr_decl := $(SED) -r -f $(support)/get_type_attr_decl.sed > diff --git a/Rules.monolithic b/Rules.monolithic > index a8ae98d1..cd065362 100644 > --- a/Rules.monolithic > +++ b/Rules.monolithic > @@ -42,6 +42,12 @@ vpath %.te $(all_layers) > vpath %.if $(all_layers) > vpath %.fc $(all_layers) > > +# load_policy(8) loads policy from //policy/policy. > +# It does this by reading the /config file and using the > +# SELINUX_PATH/SELINUXTYPE entries to form the initial path. > +SELINUX_PATH := $(shell $(selinux_path)) > +SELINUXTYPE := $(strip $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' $(SELINUX_PATH)/config)) > + > ######################################## > # > # default action: build policy locally > @@ -91,9 +97,16 @@ endif > # Load the binary policy > # > reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles) > +ifneq ($(SELINUXTYPE),$(NAME)) > + $(error Cannot load policy as $(SELINUX_PATH)/config file contains SELINUXTYPE=$(SELINUXTYPE) - \ > + Edit $(SELINUX_PATH)/config and set "SELINUXTYPE=$(NAME)") > +endif > +ifneq ($(topdir),$(SELINUX_PATH)) > + $(error Cannot load policy as policy root MUST be $(SELINUX_PATH)/$(NAME) - \ > + Current policy root is: $(topdir)/$(NAME)) > +endif > @echo "Loading $(NAME) $(loadpath)" > $(verbose) $(LOADPOLICY) -q $(loadpath) > - @touch $(tmpdir)/load > > ######################################## > # > diff --git a/support/selinux_path.py b/support/selinux_path.py > new file mode 100644 > index 00000000..b663ff09 > --- /dev/null > +++ b/support/selinux_path.py > @@ -0,0 +1,13 @@ > +#!/usr/bin/env python3 > + > +try: > + import warnings > + with warnings.catch_warnings(): > + warnings.filterwarnings("ignore", category=PendingDeprecationWarning) > + import selinux > + > + if selinux.is_selinux_enabled(): > + # Strip the trailing '/' > + print(selinux.selinux_path()[:-1]) Why not use selinux.selinux_binary_policy_path()? Then you don't need to parse for SELINUXTYPE above. -- Chris PeBenito