* How is policy.31 created from modules under /usr/share/selinux @ 2020-12-05 19:19 Ashish Mishra 2020-12-06 15:29 ` Richard Haines 0 siblings, 1 reply; 17+ messages in thread From: Ashish Mishra @ 2020-12-05 19:19 UTC (permalink / raw) To: selinux-refpolicy, Paul Moore, SElinux list Hi All , Good Morning . I am following the SELINUX NOTEBOOK & trying the same at my end . - The refpolicy modules are copied at /usr/share/selinux/refpolicy i can see around 400+ modules there . But can senior member' s please help me understand how is the /etc/selinux/refpolicy/policy/policy.31 created using the modules available at /usr/share/selinux The command i followed : $ make install-src $ make conf $ make load ( tried even $ make install ) $ make install-headers - This can help me to debug an issue where i am trying to get selinux of my custom distro where all the make command are successfully executed but the policy.31 is not getting created - I can even see the "include" folder also getting created for make install-headers Any pointers will be helpful or please let me know if i am missing any aspect here . Thanks , Ashish. ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: How is policy.31 created from modules under /usr/share/selinux 2020-12-05 19:19 How is policy.31 created from modules under /usr/share/selinux Ashish Mishra @ 2020-12-06 15:29 ` Richard Haines 2020-12-06 16:30 ` Ashish Mishra 0 siblings, 1 reply; 17+ messages in thread From: Richard Haines @ 2020-12-06 15:29 UTC (permalink / raw) To: Ashish Mishra; +Cc: selinux-refpolicy, Paul Moore, SElinux list On Sun, 2020-12-06 at 00:49 +0530, Ashish Mishra wrote: > Hi All , > > Good Morning . > > I am following the SELINUX NOTEBOOK & trying the same at my end . > > - The refpolicy modules are copied at /usr/share/selinux/refpolicy > i can see around 400+ modules there . > But can senior member' s please help me understand how is the > /etc/selinux/refpolicy/policy/policy.31 created using the modules > available at > /usr/share/selinux > The command i followed : > $ make install-src > $ make conf > $ make load ( tried even $ make install ) > $ make install-headers > Just to be clear (as you didn't state whether the binary policy file was built at all), if you run these commands: mkdir refpol cd refpol git clone https://github.com/SELinuxProject/refpolicy.git Edit build.conf file to requirements (e.g. NAME = refpolicy etc.) make install-src cd /etc/selinux/refpolicy/src/policy make conf make load make install-headers The policy binary file should now be created at: /etc/selinux/refpolicy/policy/policy.31 (or .32 if Fedora 33) True ?? To add a new module (that will rebuild the binary policy file) you can install the new *.te *.if and *.fc files in a directory and run from that directory (you will need to ensure /etc/selinux/config has SELINUXTYPE=refpolicy set): make -f /usr/share/selinux/refpolicy/include/Makefile load This Makefile basically reads the build.conf file, uses checkmodule to build the *.pp file, then semodule to add to store and build the binary policy (also using the prebuilt /usr/share/selinux/refpolicy/*.pp files). I've just tried this on Fedora 33 with no problems. Note: While running through example this I noticed an error in the Notebook - the Reference policy does not have a contibute section, I'll send patch to remove: Add the contibuted modules (policy/modules/contrib) git submodule init git submodule update > > - This can help me to debug an issue where i am trying to get selinux > of my custom > distro where all the make command are successfully executed but > the policy.31 > is not getting created > > - I can even see the "include" folder also getting created for make > install-headers > > Any pointers will be helpful or please let me know if i am missing > any > aspect here . > > Thanks , > Ashish. ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: How is policy.31 created from modules under /usr/share/selinux 2020-12-06 15:29 ` Richard Haines @ 2020-12-06 16:30 ` Ashish Mishra 2020-12-06 17:15 ` Richard Haines 0 siblings, 1 reply; 17+ messages in thread From: Ashish Mishra @ 2020-12-06 16:30 UTC (permalink / raw) To: Richard Haines; +Cc: selinux-refpolicy, Paul Moore, SElinux list Hi Richard , Thanks for replying back. 1) The policy.31 binary is not getting created at: /etc/selinux/refpolicy/policy/policy.31 2) Using the verbose of makefile I can see that the semodule command is reached . But even in verbose mode , I can't see any action / command message shown for policy.31 being created. Hence I am trying to understand how the final policy.31 file is being created . 3) Below are the files being created under /etc/selinux : refpolicy/contexts: customizable_types default_type initrc_context removable_context userhelper_context virtual_image_context dbus_contexts failsafe_context lxc_contexts securetty_types users x_contexts default_contexts files openrc_contexts sepgsql_contexts virtual_domain_context refpolicy/policy: refpolicy/src: policy 4) Below are the files being created under /usr/share/selinux/refpolicy/include/ admin apps build.conf global_tunables.xml kernel.xml roles services support system.xml admin.xml apps.xml global_booleans.xml kernel Makefile roles.xml services.xml system Any pointer of probable aspect which can cause such error as I am trying to understand how policy.31 binary is created from individual modules Thanks , Ashish On Sun, Dec 6, 2020 at 8:59 PM Richard Haines <richard_c_haines@btinternet.com> wrote: > > On Sun, 2020-12-06 at 00:49 +0530, Ashish Mishra wrote: > > Hi All , > > > > Good Morning . > > > > I am following the SELINUX NOTEBOOK & trying the same at my end . > > > > - The refpolicy modules are copied at /usr/share/selinux/refpolicy > > i can see around 400+ modules there . > > But can senior member' s please help me understand how is the > > /etc/selinux/refpolicy/policy/policy.31 created using the modules > > available at > > /usr/share/selinux > > The command i followed : > > $ make install-src > > $ make conf > > $ make load ( tried even $ make install ) > > $ make install-headers > > > > Just to be clear (as you didn't state whether the binary policy file > was built at all), if you run these commands: > > mkdir refpol > cd refpol > git clone https://github.com/SELinuxProject/refpolicy.git > Edit build.conf file to requirements (e.g. NAME = refpolicy etc.) > make install-src > cd /etc/selinux/refpolicy/src/policy > make conf > make load > make install-headers > > The policy binary file should now be created at: > /etc/selinux/refpolicy/policy/policy.31 (or .32 if Fedora 33) > True ?? > > To add a new module (that will rebuild the binary policy file) you can > install the new *.te *.if and *.fc files in a directory and run from > that directory (you will need to ensure /etc/selinux/config has > SELINUXTYPE=refpolicy set): > > make -f /usr/share/selinux/refpolicy/include/Makefile load > > This Makefile basically reads the build.conf file, uses checkmodule to > build the *.pp file, then semodule to add to store and build the binary > policy (also using the prebuilt /usr/share/selinux/refpolicy/*.pp > files). > > I've just tried this on Fedora 33 with no problems. > > Note: While running through example this I noticed an error in the > Notebook - the Reference policy does not have a contibute section, I'll > send patch to remove: > > Add the contibuted modules (policy/modules/contrib) > git submodule init > git submodule update > > > > > - This can help me to debug an issue where i am trying to get selinux > > of my custom > > distro where all the make command are successfully executed but > > the policy.31 > > is not getting created > > > > - I can even see the "include" folder also getting created for make > > install-headers > > > > Any pointers will be helpful or please let me know if i am missing > > any > > aspect here . > > > > Thanks , > > Ashish. > > ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: How is policy.31 created from modules under /usr/share/selinux 2020-12-06 16:30 ` Ashish Mishra @ 2020-12-06 17:15 ` Richard Haines 2020-12-07 1:21 ` Ashish Mishra 0 siblings, 1 reply; 17+ messages in thread From: Richard Haines @ 2020-12-06 17:15 UTC (permalink / raw) To: Ashish Mishra; +Cc: selinux-refpolicy, Paul Moore, SElinux list On Sun, 2020-12-06 at 22:00 +0530, Ashish Mishra wrote: > Hi Richard , > > Thanks for replying back. > > 1) The policy.31 binary is not getting created at: > /etc/selinux/refpolicy/policy/policy.31 > > 2) Using the verbose of makefile I can see that the semodule command > is reached . > But even in verbose mode , I can't see any action / command > message > shown for policy.31 being created. > Hence I am trying to understand how the final policy.31 file is > being created . You will not see a reference to 'policy.31' when running semodule. It just takes the large list of modules and its store id, the rest is magic (the default name is 'policy', the version is derived from the policy-version= entry in the semanage.conf file or the kernel default). It then adds the policy binary file to: /etc/selinux/<SELINUXTYPE>/policy/policy.<ver> Where <SELINUXTYPE> is the policy store id that should match the /etc/selinux/config SELINUXTYPE= entry when loading the policy. For example when I run 'make -d load' I see (cutdown): Loading configured modules. /usr/sbin/semodule -s refpolicy -i /usr/share/selinux/refpolicy/base.pp -i /usr/share/selinux/refpolicy/abrt.pp ...... BTW what distro/version are you using as I use Fedora 33 that by default generates an '/etc/selinux/refpolicy/policy/policy.32' binary file. > > 3) Below are the files being created under /etc/selinux : > refpolicy/contexts: > customizable_types default_type initrc_context > removable_context userhelper_context virtual_image_context > dbus_contexts failsafe_context lxc_contexts > securetty_types users x_contexts > default_contexts files openrc_contexts > sepgsql_contexts virtual_domain_context > > refpolicy/policy: My initial thought is that 'make load' is not being called or something is wrong with 'https://github.com/SELinuxProject/selinux' installation > > refpolicy/src: > policy > > > 4) Below are the files being created under Are there any *.pp files under: /usr/share/selinux/refpolicy If not again looks like 'https://github.com/SELinuxProject/selinux' installation problem checkpolicy/checkmodule ?? > /usr/share/selinux/refpolicy/include/ > admin apps build.conf global_tunables.xml > kernel.xml roles services support system.xml > admin.xml apps.xml global_booleans.xml kernel > Makefile roles.xml services.xml system > > Any pointer of probable aspect which can cause such error as I am > trying to understand > how policy.31 binary is created from individual modules > > Thanks , > Ashish > > > > > On Sun, Dec 6, 2020 at 8:59 PM Richard Haines > <richard_c_haines@btinternet.com> wrote: > > > > On Sun, 2020-12-06 at 00:49 +0530, Ashish Mishra wrote: > > > Hi All , > > > > > > Good Morning . > > > > > > I am following the SELINUX NOTEBOOK & trying the same at my end . > > > > > > - The refpolicy modules are copied at > > > /usr/share/selinux/refpolicy > > > i can see around 400+ modules there . > > > But can senior member' s please help me understand how is the > > > /etc/selinux/refpolicy/policy/policy.31 created using the > > > modules > > > available at > > > /usr/share/selinux > > > The command i followed : > > > $ make install-src > > > $ make conf > > > $ make load ( tried even $ make install ) > > > $ make install-headers > > > > > > > Just to be clear (as you didn't state whether the binary policy > > file > > was built at all), if you run these commands: > > > > mkdir refpol > > cd refpol > > git clone https://github.com/SELinuxProject/refpolicy.git > > Edit build.conf file to requirements (e.g. NAME = refpolicy etc.) > > make install-src > > cd /etc/selinux/refpolicy/src/policy > > make conf > > make load > > make install-headers > > > > The policy binary file should now be created at: > > /etc/selinux/refpolicy/policy/policy.31 (or .32 if Fedora 33) > > True ?? > > > > To add a new module (that will rebuild the binary policy file) you > > can > > install the new *.te *.if and *.fc files in a directory and run > > from > > that directory (you will need to ensure /etc/selinux/config has > > SELINUXTYPE=refpolicy set): > > > > make -f /usr/share/selinux/refpolicy/include/Makefile load > > > > This Makefile basically reads the build.conf file, uses checkmodule > > to > > build the *.pp file, then semodule to add to store and build the > > binary > > policy (also using the prebuilt /usr/share/selinux/refpolicy/*.pp > > files). > > > > I've just tried this on Fedora 33 with no problems. > > > > Note: While running through example this I noticed an error in the > > Notebook - the Reference policy does not have a contibute section, > > I'll > > send patch to remove: > > > > Add the contibuted modules (policy/modules/contrib) > > git submodule init > > git submodule update > > > > > > > > - This can help me to debug an issue where i am trying to get > > > selinux > > > of my custom > > > distro where all the make command are successfully executed > > > but > > > the policy.31 > > > is not getting created > > > > > > - I can even see the "include" folder also getting created for > > > make > > > install-headers > > > > > > Any pointers will be helpful or please let me know if i am > > > missing > > > any > > > aspect here . > > > > > > Thanks , > > > Ashish. > > > > ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: How is policy.31 created from modules under /usr/share/selinux 2020-12-06 17:15 ` Richard Haines @ 2020-12-07 1:21 ` Ashish Mishra 2020-12-07 12:39 ` Richard Haines 0 siblings, 1 reply; 17+ messages in thread From: Ashish Mishra @ 2020-12-07 1:21 UTC (permalink / raw) To: Richard Haines; +Cc: selinux-refpolicy, Paul Moore, SElinux list [-- Attachment #1: Type: text/plain, Size: 6525 bytes --] Hi Richard , 1) There are approx 426 *.pp files being created under /usr/share/selinux/refpolicy Attached is the log , which contains the list of files . 2) I can confirm the stages till semodule 3) This is a custom Linux SDK 4.x series BSP on which i am trying to get the refpolicy installed . 4) Any pointers to verify if make load is happening as expected or https://github.com/SELinuxProject/selinux installation Because i am not observing any error here during make -v . I am trying to look at the probable cause / pointers to debug the missing policy.31 file here. Any inputs will be helpful . Thanks . Ashish On Sun, Dec 6, 2020 at 10:45 PM Richard Haines <richard_c_haines@btinternet.com> wrote: > > On Sun, 2020-12-06 at 22:00 +0530, Ashish Mishra wrote: > > Hi Richard , > > > > Thanks for replying back. > > > > 1) The policy.31 binary is not getting created at: > > /etc/selinux/refpolicy/policy/policy.31 > > > > 2) Using the verbose of makefile I can see that the semodule command > > is reached . > > But even in verbose mode , I can't see any action / command > > message > > shown for policy.31 being created. > > Hence I am trying to understand how the final policy.31 file is > > being created . > > You will not see a reference to 'policy.31' when running semodule. It > just takes the large list of modules and its store id, the rest is > magic (the default name is 'policy', the version is derived from the > policy-version= entry in the semanage.conf file or the kernel default). > It then adds the policy binary file to: > > /etc/selinux/<SELINUXTYPE>/policy/policy.<ver> > > Where <SELINUXTYPE> is the policy store id that should match the > /etc/selinux/config SELINUXTYPE= entry when loading the policy. > > For example when I run 'make -d load' I see (cutdown): > > Loading configured modules. > /usr/sbin/semodule -s refpolicy -i /usr/share/selinux/refpolicy/base.pp > -i /usr/share/selinux/refpolicy/abrt.pp ...... > > BTW what distro/version are you using as I use Fedora 33 that by > default generates an '/etc/selinux/refpolicy/policy/policy.32' binary > file. > > > > > 3) Below are the files being created under /etc/selinux : > > refpolicy/contexts: > > customizable_types default_type initrc_context > > removable_context userhelper_context virtual_image_context > > dbus_contexts failsafe_context lxc_contexts > > securetty_types users x_contexts > > default_contexts files openrc_contexts > > sepgsql_contexts virtual_domain_context > > > > refpolicy/policy: > My initial thought is that 'make load' is not being called or something > is wrong with 'https://github.com/SELinuxProject/selinux' installation > > > > > refpolicy/src: > > policy > > > > > > 4) Below are the files being created under > > Are there any *.pp files under: > /usr/share/selinux/refpolicy > > If not again looks like 'https://github.com/SELinuxProject/selinux' > installation problem checkpolicy/checkmodule ?? > > > /usr/share/selinux/refpolicy/include/ > > admin apps build.conf global_tunables.xml > > kernel.xml roles services support system.xml > > admin.xml apps.xml global_booleans.xml kernel > > Makefile roles.xml services.xml system > > > > Any pointer of probable aspect which can cause such error as I am > > trying to understand > > how policy.31 binary is created from individual modules > > > > Thanks , > > Ashish > > > > > > > > > > On Sun, Dec 6, 2020 at 8:59 PM Richard Haines > > <richard_c_haines@btinternet.com> wrote: > > > > > > On Sun, 2020-12-06 at 00:49 +0530, Ashish Mishra wrote: > > > > Hi All , > > > > > > > > Good Morning . > > > > > > > > I am following the SELINUX NOTEBOOK & trying the same at my end . > > > > > > > > - The refpolicy modules are copied at > > > > /usr/share/selinux/refpolicy > > > > i can see around 400+ modules there . > > > > But can senior member' s please help me understand how is the > > > > /etc/selinux/refpolicy/policy/policy.31 created using the > > > > modules > > > > available at > > > > /usr/share/selinux > > > > The command i followed : > > > > $ make install-src > > > > $ make conf > > > > $ make load ( tried even $ make install ) > > > > $ make install-headers > > > > > > > > > > Just to be clear (as you didn't state whether the binary policy > > > file > > > was built at all), if you run these commands: > > > > > > mkdir refpol > > > cd refpol > > > git clone https://github.com/SELinuxProject/refpolicy.git > > > Edit build.conf file to requirements (e.g. NAME = refpolicy etc.) > > > make install-src > > > cd /etc/selinux/refpolicy/src/policy > > > make conf > > > make load > > > make install-headers > > > > > > The policy binary file should now be created at: > > > /etc/selinux/refpolicy/policy/policy.31 (or .32 if Fedora 33) > > > True ?? > > > > > > To add a new module (that will rebuild the binary policy file) you > > > can > > > install the new *.te *.if and *.fc files in a directory and run > > > from > > > that directory (you will need to ensure /etc/selinux/config has > > > SELINUXTYPE=refpolicy set): > > > > > > make -f /usr/share/selinux/refpolicy/include/Makefile load > > > > > > This Makefile basically reads the build.conf file, uses checkmodule > > > to > > > build the *.pp file, then semodule to add to store and build the > > > binary > > > policy (also using the prebuilt /usr/share/selinux/refpolicy/*.pp > > > files). > > > > > > I've just tried this on Fedora 33 with no problems. > > > > > > Note: While running through example this I noticed an error in the > > > Notebook - the Reference policy does not have a contibute section, > > > I'll > > > send patch to remove: > > > > > > Add the contibuted modules (policy/modules/contrib) > > > git submodule init > > > git submodule update > > > > > > > > > > > - This can help me to debug an issue where i am trying to get > > > > selinux > > > > of my custom > > > > distro where all the make command are successfully executed > > > > but > > > > the policy.31 > > > > is not getting created > > > > > > > > - I can even see the "include" folder also getting created for > > > > make > > > > install-headers > > > > > > > > Any pointers will be helpful or please let me know if i am > > > > missing > > > > any > > > > aspect here . > > > > > > > > Thanks , > > > > Ashish. > > > > > > > > [-- Attachment #2: usr-share-selinux-refpolicy.txt --] [-- Type: text/plain, Size: 7280 bytes --] /tmp/_home_octeon_linux_embedded_rootfs-rootfs/usr/share/selinux/refpolicy:() :: ls abrt.pp clamav.pp fakehwclock.pp jockey.pp mrtg.pp procmail.pp sensord.pp tzdata.pp accountsd.pp clock.pp fcoe.pp kdumpgui.pp mta.pp psad.pp setrans.pp ucspitcp.pp acct.pp clockspeed.pp fetchmail.pp kdump.pp munin.pp ptchown.pp setroubleshoot.pp udev.pp acpi.pp clogd.pp finger.pp kerberos.pp mysql.pp publicfile.pp seunshare.pp ulogd.pp afs.pp cmirrord.pp firewalld.pp kerneloops.pp nagios.pp pulseaudio.pp shibboleth.pp uml.pp aiccu.pp cobbler.pp firewallgui.pp keyboardd.pp ncftool.pp puppet.pp shorewall.pp unconfined.pp aide.pp collectd.pp firstboot.pp keystone.pp nessus.pp pwauth.pp shutdown.pp unprivuser.pp aisexec.pp colord.pp fprintd.pp kismet.pp netlabel.pp pxe.pp sigrok.pp updfstab.pp alsa.pp comsat.pp fstools.pp knot.pp netutils.pp pyicqt.pp slocate.pp uptime.pp amanda.pp condor.pp ftp.pp ksmtuned.pp networkmanager.pp pyzor.pp slpd.pp usbguard.pp amavis.pp consolekit.pp games.pp ktalk.pp nis.pp qemu.pp slrnpull.pp usbmodules.pp amtu.pp consolesetup.pp gatekeeper.pp kudzu.pp nscd.pp qmail.pp smartmon.pp usbmuxd.pp anaconda.pp consoletype.pp gdomap.pp l2tp.pp nsd.pp qpid.pp smokeping.pp userdomain.pp apache.pp corosync.pp geoclue.pp ldap.pp nslcd.pp quantum.pp smoltclient.pp userhelper.pp apcupsd.pp couchdb.pp getty.pp libmtp.pp ntop.pp quota.pp smstools.pp usermanage.pp application.pp courier.pp gift.pp libraries.pp ntp.pp rabbitmq.pp snmp.pp usernetctl.pp aptcacher.pp cpucontrol.pp gitosis.pp lightsquid.pp numad.pp radius.pp snort.pp uucp.pp apt.pp cpufreqselector.pp git.pp likewise.pp nut.pp radvd.pp sosreport.pp uuidd.pp arpwatch.pp cron.pp glance.pp lircd.pp nx.pp raid.pp soundserver.pp uwimap.pp asterisk.pp cryfs.pp glusterfs.pp livecd.pp oav.pp razor.pp spamassassin.pp varnishd.pp auditadm.pp ctdb.pp gnomeclock.pp lldpad.pp obex.pp rdisc.pp speedtouch.pp vbetool.pp authlogin.pp cups.pp gnome.pp loadkeys.pp oddjob.pp readahead.pp squid.pp vdagent.pp automount.pp cvs.pp gpg.pp locallogin.pp oident.pp realmd.pp ssh.pp vhostmd.pp avahi.pp cyphesis.pp gpm.pp lockdev.pp openca.pp redis.pp sssd.pp virt.pp awstats.pp cyrus.pp gpsd.pp logadm.pp openct.pp remotelogin.pp staff.pp vlock.pp backup.pp daemontools.pp gssproxy.pp logging.pp openhpi.pp resmgr.pp storage.pp vmware.pp bacula.pp dante.pp guest.pp logrotate.pp openoffice.pp rgmanager.pp stubby.pp vnstatd.pp base.pp dbadm.pp hadoop.pp logwatch.pp openvpn.pp rhcs.pp stunnel.pp vpn.pp bcfg2.pp dbskk.pp hal.pp lpd.pp openvswitch.pp rhgb.pp sudo.pp w3c.pp bind.pp dbus.pp hddtemp.pp lsm.pp pacemaker.pp rhsmcertd.pp su.pp watchdog.pp bird.pp dcc.pp hostapd.pp lvm.pp pads.pp ricci.pp svnserve.pp wdmd.pp bitlbee.pp ddclient.pp hostname.pp mailman.pp passenger.pp rkhunter.pp sxid.pp webadm.pp blueman.pp ddcprobe.pp hotplug.pp mailscanner.pp pcmcia.pp rlogin.pp syncthing.pp webalizer.pp bluetooth.pp denyhosts.pp howl.pp man2html.pp pcscd.pp rngd.pp sysadm.pp wine.pp boinc.pp devicekit.pp hwloc.pp mandb.pp pegasus.pp roundup.pp sysnetwork.pp wireguard.pp bootloader.pp dhcp.pp hypervkvp.pp mcelog.pp perdition.pp rpcbind.pp sysstat.pp wireshark.pp brctl.pp dictd.pp i18n_input.pp mediawiki.pp pingd.pp rpc.pp systemd.pp wm.pp bugzilla.pp dirmngr.pp icecast.pp memcached.pp pkcs.pp rpm.pp systemtap.pp xdg.pp cachefilesd.pp distcc.pp ifplugd.pp milter.pp plymouthd.pp rshd.pp tboot.pp xen.pp calamaris.pp djbdns.pp imaze.pp minidlna.pp podsleuth.pp rssh.pp tcpd.pp xfs.pp callweaver.pp dkim.pp include minissdpd.pp policykit.pp rsync.pp tcsd.pp xguest.pp canna.pp dmesg.pp inetd.pp miscfiles.pp polipo.pp rtkit.pp telepathy.pp xprint.pp ccs.pp dmidecode.pp init.pp modemmanager.pp portage.pp rwho.pp telnet.pp xscreensaver.pp cdrecord.pp dnsmasq.pp inn.pp modutils.pp portmap.pp sambagui.pp tftp.pp xserver.pp certmaster.pp dnssectrigger.pp iodine.pp mojomojo.pp portreserve.pp samba.pp tgtd.pp yam.pp certmonger.pp dovecot.pp ipsec.pp mongodb.pp portslave.pp samhain.pp thunderbird.pp zabbix.pp certwatch.pp dphysswapfile.pp iptables.pp monit.pp postfixpolicyd.pp sanlock.pp timidity.pp zarafa.pp cfengine.pp dpkg.pp ircd.pp mono.pp postfix.pp sasl.pp tmpreaper.pp zebra.pp cgmanager.pp drbd.pp irc.pp monop.pp postgresql.pp sblim.pp tor.pp zosremote.pp cgroup.pp dspam.pp irqbalance.pp mon.pp postgrey.pp screen.pp tpm2.pp chkrootkit.pp entropyd.pp iscsi.pp mount.pp ppp.pp secadm.pp transproxy.pp chromium.pp evolution.pp isns.pp mozilla.pp prelink.pp sectoolm.pp tripwire.pp chronyd.pp exim.pp jabber.pp mpd.pp prelude.pp selinuxutil.pp tuned.pp cipe.pp fail2ban.pp java.pp mplayer.pp privoxy.pp sendmail.pp tvtime.pp /tmp/_home_octeon_linux_embedded_rootfs-rootfs/usr/share/selinux/refpolicy:() :: ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: How is policy.31 created from modules under /usr/share/selinux 2020-12-07 1:21 ` Ashish Mishra @ 2020-12-07 12:39 ` Richard Haines 2020-12-07 13:26 ` Ashish Mishra 0 siblings, 1 reply; 17+ messages in thread From: Richard Haines @ 2020-12-07 12:39 UTC (permalink / raw) To: Ashish Mishra; +Cc: selinux-refpolicy, Paul Moore, SElinux list On Mon, 2020-12-07 at 06:51 +0530, Ashish Mishra wrote: > Hi Richard , > > 1) There are approx 426 *.pp files being created under > /usr/share/selinux/refpolicy > Attached is the log , which contains the list of files . > > 2) I can confirm the stages till semodule > > 3) This is a custom Linux SDK 4.x series BSP on which i am trying to > get the refpolicy > installed . > > 4) Any pointers to verify if make load is happening as expected or > https://github.com/SELinuxProject/selinux installation > Because i am not observing any error here during make -v . > > I am trying to look at the probable cause / pointers to debug the > missing policy.31 file here. > Any inputs will be helpful . Have you tried building a monolithic policy as this does not use semodule (uses checkpolicy). Just change the build.conf 'MONOLITHIC = y' Building this on a clean system does not build/install the /usr/share/selinux/refpolicy modules so quite simple build. You could also set 'OUTPUT_POLICY = <ver>' to build a lower version binary policy (e.g. 21). Otherwise (running out of ideas): 1) Is this already a working SELinux system (e.g. do you have the 'targeted' or 'mls' policy installed) 2) When 'make load' gets to semodule, what errors do you see. 3) When semodule builds it installs a policy store (default) at /var/lib/selinux/refpolicy. Do you have this when you build a modular policy ? > > Thanks . > Ashish > > > > > > > > > > > > On Sun, Dec 6, 2020 at 10:45 PM Richard Haines > <richard_c_haines@btinternet.com> wrote: > > > > On Sun, 2020-12-06 at 22:00 +0530, Ashish Mishra wrote: > > > Hi Richard , > > > > > > Thanks for replying back. > > > > > > 1) The policy.31 binary is not getting created at: > > > /etc/selinux/refpolicy/policy/policy.31 > > > > > > 2) Using the verbose of makefile I can see that the semodule > > > command > > > is reached . > > > But even in verbose mode , I can't see any action / command > > > message > > > shown for policy.31 being created. > > > Hence I am trying to understand how the final policy.31 file > > > is > > > being created . > > > > You will not see a reference to 'policy.31' when running semodule. > > It > > just takes the large list of modules and its store id, the rest is > > magic (the default name is 'policy', the version is derived from > > the > > policy-version= entry in the semanage.conf file or the kernel > > default). > > It then adds the policy binary file to: > > > > /etc/selinux/<SELINUXTYPE>/policy/policy.<ver> > > > > Where <SELINUXTYPE> is the policy store id that should match the > > /etc/selinux/config SELINUXTYPE= entry when loading the policy. > > > > For example when I run 'make -d load' I see (cutdown): > > > > Loading configured modules. > > /usr/sbin/semodule -s refpolicy -i > > /usr/share/selinux/refpolicy/base.pp > > -i /usr/share/selinux/refpolicy/abrt.pp ...... > > > > BTW what distro/version are you using as I use Fedora 33 that by > > default generates an '/etc/selinux/refpolicy/policy/policy.32' > > binary > > file. > > > > > > > > 3) Below are the files being created under /etc/selinux : > > > refpolicy/contexts: > > > customizable_types default_type initrc_context > > > removable_context userhelper_context virtual_image_context > > > dbus_contexts failsafe_context lxc_contexts > > > securetty_types users x_contexts > > > default_contexts files openrc_contexts > > > sepgsql_contexts virtual_domain_context > > > > > > refpolicy/policy: > > My initial thought is that 'make load' is not being called or > > something > > is wrong with > > 'https://github.com/SELinuxProject/selinux' installation > > > > > > > > refpolicy/src: > > > policy > > > > > > > > > 4) Below are the files being created under > > > > Are there any *.pp files under: > > /usr/share/selinux/refpolicy > > > > If not again looks like 'https://github.com/SELinuxProject/selinux' > > installation problem checkpolicy/checkmodule ?? > > > > > /usr/share/selinux/refpolicy/include/ > > > admin apps build.conf global_tunables.xml > > > kernel.xml roles services support system.xml > > > admin.xml apps.xml global_booleans.xml kernel > > > Makefile roles.xml services.xml system > > > > > > Any pointer of probable aspect which can cause such error as I am > > > trying to understand > > > how policy.31 binary is created from individual modules > > > > > > Thanks , > > > Ashish > > > > > > > > > > > > > > > On Sun, Dec 6, 2020 at 8:59 PM Richard Haines > > > <richard_c_haines@btinternet.com> wrote: > > > > > > > > On Sun, 2020-12-06 at 00:49 +0530, Ashish Mishra wrote: > > > > > Hi All , > > > > > > > > > > Good Morning . > > > > > > > > > > I am following the SELINUX NOTEBOOK & trying the same at my > > > > > end . > > > > > > > > > > - The refpolicy modules are copied at > > > > > /usr/share/selinux/refpolicy > > > > > i can see around 400+ modules there . > > > > > But can senior member' s please help me understand how is > > > > > the > > > > > /etc/selinux/refpolicy/policy/policy.31 created using the > > > > > modules > > > > > available at > > > > > /usr/share/selinux > > > > > The command i followed : > > > > > $ make install-src > > > > > $ make conf > > > > > $ make load ( tried even $ make install ) > > > > > $ make install-headers > > > > > > > > > > > > > Just to be clear (as you didn't state whether the binary policy > > > > file > > > > was built at all), if you run these commands: > > > > > > > > mkdir refpol > > > > cd refpol > > > > git clone https://github.com/SELinuxProject/refpolicy.git > > > > Edit build.conf file to requirements (e.g. NAME = refpolicy > > > > etc.) > > > > make install-src > > > > cd /etc/selinux/refpolicy/src/policy > > > > make conf > > > > make load > > > > make install-headers > > > > > > > > The policy binary file should now be created at: > > > > /etc/selinux/refpolicy/policy/policy.31 (or .32 if Fedora 33) > > > > True ?? > > > > > > > > To add a new module (that will rebuild the binary policy file) > > > > you > > > > can > > > > install the new *.te *.if and *.fc files in a directory and run > > > > from > > > > that directory (you will need to ensure /etc/selinux/config has > > > > SELINUXTYPE=refpolicy set): > > > > > > > > make -f /usr/share/selinux/refpolicy/include/Makefile load > > > > > > > > This Makefile basically reads the build.conf file, uses > > > > checkmodule > > > > to > > > > build the *.pp file, then semodule to add to store and build > > > > the > > > > binary > > > > policy (also using the prebuilt > > > > /usr/share/selinux/refpolicy/*.pp > > > > files). > > > > > > > > I've just tried this on Fedora 33 with no problems. > > > > > > > > Note: While running through example this I noticed an error in > > > > the > > > > Notebook - the Reference policy does not have a contibute > > > > section, > > > > I'll > > > > send patch to remove: > > > > > > > > Add the contibuted modules (policy/modules/contrib) > > > > git submodule init > > > > git submodule update > > > > > > > > > > > > > > - This can help me to debug an issue where i am trying to get > > > > > selinux > > > > > of my custom > > > > > distro where all the make command are successfully > > > > > executed > > > > > but > > > > > the policy.31 > > > > > is not getting created > > > > > > > > > > - I can even see the "include" folder also getting created > > > > > for > > > > > make > > > > > install-headers > > > > > > > > > > Any pointers will be helpful or please let me know if i am > > > > > missing > > > > > any > > > > > aspect here . > > > > > > > > > > Thanks , > > > > > Ashish. > > > > > > > > > > > > ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: How is policy.31 created from modules under /usr/share/selinux 2020-12-07 12:39 ` Richard Haines @ 2020-12-07 13:26 ` Ashish Mishra 2020-12-08 15:36 ` Chris PeBenito 0 siblings, 1 reply; 17+ messages in thread From: Ashish Mishra @ 2020-12-07 13:26 UTC (permalink / raw) To: Richard Haines; +Cc: selinux-refpolicy, Paul Moore, SElinux list Hi Richard , Thanks for sharing the inputs . Will try the monolithic suggestion & share the observation - This system doesn't have any selinux policy running . So i am adding the refpolicy to sdk rootfs - I tried some further debugging & can confirm below discrepancy as mentioned in ( point-4 ) below with PKG=refpolicy & ROOT=/tmp/custom-embedded-rootfs 1) The task of MAKE INSTALL-SRC is properly executed at required /tmp/custom-embedded-rootfs/etc/selinux/refpolicy/src/policy properly ${MAKE} -C ${PKG} install-src DESTDIR=${ROOT} 2) Does the task of MAKE CONFIG is properly executed at required /tmp/custom-embedded-rootfs/etc/selinux/refpolicy/src/policy properly ${MAKE} -C ${ROOT}/etc/selinux/${PKG}/src/policy conf DESTDIR=${ROOT} 3) The task till copying *.pp files to /tmp/custom-embedded-rootfs/usr/share/selinux/refpolicy/ is proper 4) Further debugging I can confirm that the final binary (policy.31) seems to be using HARD-CODDED location of /etc/selinux instead of what is being passed as DESTDIR. The policy.31 is created not at custom-embedded-rootfs location. Due to this : - policy.31 is created in /etc/selinux/refpolicy/policy/policy.31 instead of what i was expecting at /tmp/custom-embedded-rootfs/etc/selinux/refpolicy/policy/policy.31 as DESTDIR=${ROOT} and i do get *.pp at the expected location of /tmp/custom-embedded-rootfs/etc/selinux/refpolicy/src/policy ${MAKE} -C ${ROOT}/etc/selinux/${PKG}/src/policy load DESTDIR=${ROOT} Will try the pointers you suggested . Please do let me know if any input / suggestion / feedback on ( point-4 ) above. Apologies if i am missing any obvious / well-known aspect of selinux refolicy project here. Thanks , Ashish <richard_c_haines@btinternet.com> wrote: > > On Mon, 2020-12-07 at 06:51 +0530, Ashish Mishra wrote: > > Hi Richard , > > > > 1) There are approx 426 *.pp files being created under > > /usr/share/selinux/refpolicy > > Attached is the log , which contains the list of files . > > > > 2) I can confirm the stages till semodule > > > > 3) This is a custom Linux SDK 4.x series BSP on which i am trying to > > get the refpolicy > > installed . > > > > 4) Any pointers to verify if make load is happening as expected or > > https://github.com/SELinuxProject/selinux installation > > Because i am not observing any error here during make -v . > > > > I am trying to look at the probable cause / pointers to debug the > > missing policy.31 file here. > > Any inputs will be helpful . > > Have you tried building a monolithic policy as this does not use > semodule (uses checkpolicy). Just change the build.conf 'MONOLITHIC = > y' > Building this on a clean system does not build/install the > /usr/share/selinux/refpolicy modules so quite simple build. > You could also set 'OUTPUT_POLICY = <ver>' to build a lower version > binary policy (e.g. 21). > > Otherwise (running out of ideas): > 1) Is this already a working SELinux system (e.g. do you have the > 'targeted' or 'mls' policy installed) > 2) When 'make load' gets to semodule, what errors do you see. > 3) When semodule builds it installs a policy store (default) at > /var/lib/selinux/refpolicy. Do you have this when you build a modular > policy ? > > > > > > Thanks . > > Ashish > > > > > > > > > > > > > > > > > > > > > > > > On Sun, Dec 6, 2020 at 10:45 PM Richard Haines > > <richard_c_haines@btinternet.com> wrote: > > > > > > On Sun, 2020-12-06 at 22:00 +0530, Ashish Mishra wrote: > > > > Hi Richard , > > > > > > > > Thanks for replying back. > > > > > > > > 1) The policy.31 binary is not getting created at: > > > > /etc/selinux/refpolicy/policy/policy.31 > > > > > > > > 2) Using the verbose of makefile I can see that the semodule > > > > command > > > > is reached . > > > > But even in verbose mode , I can't see any action / command > > > > message > > > > shown for policy.31 being created. > > > > Hence I am trying to understand how the final policy.31 file > > > > is > > > > being created . > > > > > > You will not see a reference to 'policy.31' when running semodule. > > > It > > > just takes the large list of modules and its store id, the rest is > > > magic (the default name is 'policy', the version is derived from > > > the > > > policy-version= entry in the semanage.conf file or the kernel > > > default). > > > It then adds the policy binary file to: > > > > > > /etc/selinux/<SELINUXTYPE>/policy/policy.<ver> > > > > > > Where <SELINUXTYPE> is the policy store id that should match the > > > /etc/selinux/config SELINUXTYPE= entry when loading the policy. > > > > > > For example when I run 'make -d load' I see (cutdown): > > > > > > Loading configured modules. > > > /usr/sbin/semodule -s refpolicy -i > > > /usr/share/selinux/refpolicy/base.pp > > > -i /usr/share/selinux/refpolicy/abrt.pp ...... > > > > > > BTW what distro/version are you using as I use Fedora 33 that by > > > default generates an '/etc/selinux/refpolicy/policy/policy.32' > > > binary > > > file. > > > > > > > > > > > 3) Below are the files being created under /etc/selinux : > > > > refpolicy/contexts: > > > > customizable_types default_type initrc_context > > > > removable_context userhelper_context virtual_image_context > > > > dbus_contexts failsafe_context lxc_contexts > > > > securetty_types users x_contexts > > > > default_contexts files openrc_contexts > > > > sepgsql_contexts virtual_domain_context > > > > > > > > refpolicy/policy: > > > My initial thought is that 'make load' is not being called or > > > something > > > is wrong with > > > 'https://github.com/SELinuxProject/selinux' installation > > > > > > > > > > > refpolicy/src: > > > > policy > > > > > > > > > > > > 4) Below are the files being created under > > > > > > Are there any *.pp files under: > > > /usr/share/selinux/refpolicy > > > > > > If not again looks like 'https://github.com/SELinuxProject/selinux' > > > installation problem checkpolicy/checkmodule ?? > > > > > > > /usr/share/selinux/refpolicy/include/ > > > > admin apps build.conf global_tunables.xml > > > > kernel.xml roles services support system.xml > > > > admin.xml apps.xml global_booleans.xml kernel > > > > Makefile roles.xml services.xml system > > > > > > > > Any pointer of probable aspect which can cause such error as I am > > > > trying to understand > > > > how policy.31 binary is created from individual modules > > > > > > > > Thanks , > > > > Ashish > > > > > > > > > > > > > > > > > > > > On Sun, Dec 6, 2020 at 8:59 PM Richard Haines > > > > <richard_c_haines@btinternet.com> wrote: > > > > > > > > > > On Sun, 2020-12-06 at 00:49 +0530, Ashish Mishra wrote: > > > > > > Hi All , > > > > > > > > > > > > Good Morning . > > > > > > > > > > > > I am following the SELINUX NOTEBOOK & trying the same at my > > > > > > end . > > > > > > > > > > > > - The refpolicy modules are copied at > > > > > > /usr/share/selinux/refpolicy > > > > > > i can see around 400+ modules there . > > > > > > But can senior member' s please help me understand how is > > > > > > the > > > > > > /etc/selinux/refpolicy/policy/policy.31 created using the > > > > > > modules > > > > > > available at > > > > > > /usr/share/selinux > > > > > > The command i followed : > > > > > > $ make install-src > > > > > > $ make conf > > > > > > $ make load ( tried even $ make install ) > > > > > > $ make install-headers > > > > > > > > > > > > > > > > Just to be clear (as you didn't state whether the binary policy > > > > > file > > > > > was built at all), if you run these commands: > > > > > > > > > > mkdir refpol > > > > > cd refpol > > > > > git clone https://github.com/SELinuxProject/refpolicy.git > > > > > Edit build.conf file to requirements (e.g. NAME = refpolicy > > > > > etc.) > > > > > make install-src > > > > > cd /etc/selinux/refpolicy/src/policy > > > > > make conf > > > > > make load > > > > > make install-headers > > > > > > > > > > The policy binary file should now be created at: > > > > > /etc/selinux/refpolicy/policy/policy.31 (or .32 if Fedora 33) > > > > > True ?? > > > > > > > > > > To add a new module (that will rebuild the binary policy file) > > > > > you > > > > > can > > > > > install the new *.te *.if and *.fc files in a directory and run > > > > > from > > > > > that directory (you will need to ensure /etc/selinux/config has > > > > > SELINUXTYPE=refpolicy set): > > > > > > > > > > make -f /usr/share/selinux/refpolicy/include/Makefile load > > > > > > > > > > This Makefile basically reads the build.conf file, uses > > > > > checkmodule > > > > > to > > > > > build the *.pp file, then semodule to add to store and build > > > > > the > > > > > binary > > > > > policy (also using the prebuilt > > > > > /usr/share/selinux/refpolicy/*.pp > > > > > files). > > > > > > > > > > I've just tried this on Fedora 33 with no problems. > > > > > > > > > > Note: While running through example this I noticed an error in > > > > > the > > > > > Notebook - the Reference policy does not have a contibute > > > > > section, > > > > > I'll > > > > > send patch to remove: > > > > > > > > > > Add the contibuted modules (policy/modules/contrib) > > > > > git submodule init > > > > > git submodule update > > > > > > > > > > > > > > > > > - This can help me to debug an issue where i am trying to get > > > > > > selinux > > > > > > of my custom > > > > > > distro where all the make command are successfully > > > > > > executed > > > > > > but > > > > > > the policy.31 > > > > > > is not getting created > > > > > > > > > > > > - I can even see the "include" folder also getting created > > > > > > for > > > > > > make > > > > > > install-headers > > > > > > > > > > > > Any pointers will be helpful or please let me know if i am > > > > > > missing > > > > > > any > > > > > > aspect here . > > > > > > > > > > > > Thanks , > > > > > > Ashish. > > > > > > > > > > > > > > > > > > ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: How is policy.31 created from modules under /usr/share/selinux 2020-12-07 13:26 ` Ashish Mishra @ 2020-12-08 15:36 ` Chris PeBenito 2020-12-08 15:58 ` Ashish Mishra 0 siblings, 1 reply; 17+ messages in thread From: Chris PeBenito @ 2020-12-08 15:36 UTC (permalink / raw) To: Ashish Mishra, Richard Haines; +Cc: selinux-refpolicy, Paul Moore (SELinux main mail list to BCC since this is a refpolicy question.) On 12/7/20 8:26 AM, Ashish Mishra wrote: > 4) Further debugging I can confirm that the final binary (policy.31) > seems to be > using HARD-CODDED location of /etc/selinux instead of what is > being passed as DESTDIR. > The policy.31 is created not at custom-embedded-rootfs location. > > Due to this : > - policy.31 is created in /etc/selinux/refpolicy/policy/policy.31 > instead of what i was expecting at > /tmp/custom-embedded-rootfs/etc/selinux/refpolicy/policy/policy.31 > as DESTDIR=${ROOT} and i do get *.pp at the expected > location of /tmp/custom-embedded-rootfs/etc/selinux/refpolicy/src/policy > ${MAKE} -C ${ROOT}/etc/selinux/${PKG}/src/policy load > DESTDIR=${ROOT} I can't reproduce your issue. I use monolithic policy regularly in the way you're using it. Here's the Makefile variables: From Makefile: topdir := $(DESTDIR)/etc/selinux installdir := $(topdir)/$(strip $(NAME)) policypath := $(installdir)/policy From Rules.monolithic: loadpath = $(policypath)/$(notdir $(polver)) $(notdir $(polver)) is "policy.31" and NAME is what you have in build.conf, e.g. "refopolicy". Then the install target for monolithic looks like this (with "echo"s removed): $(loadpath): $(policy_conf) @$(INSTALL) -d -m 0755 $(@D) $(verbose) $(CHECKPOLICY) -U $(UNK_PERMS) $^ -o $@ -- Chris PeBenito ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: How is policy.31 created from modules under /usr/share/selinux 2020-12-08 15:36 ` Chris PeBenito @ 2020-12-08 15:58 ` Ashish Mishra 2020-12-09 9:53 ` Richard Haines 0 siblings, 1 reply; 17+ messages in thread From: Ashish Mishra @ 2020-12-08 15:58 UTC (permalink / raw) To: Chris PeBenito; +Cc: Richard Haines, selinux-refpolicy, Paul Moore Hi Chris , Continuing on the inputs Richard shared , I was able to zero down to the problem. To recreate , step can be directly tested by command mentioned in step-c a) I am having custom-rootfs under which I am trying to get the refpolicy installed. b) By using make load DESTDIR=/tmp/custom-rootfs , the setup reaches to state where # semodule -s refpolicy -i NAME-OF-MODULE is triggered for every module under /tmp/custom-rootfs/usr/share/selinux/refpolicy ==> This semodule behavior is causing the problem. c) By default semodule install the file under /etc/selinux of HOST system rather than /tmp/custom-rootfs/etc/selinux This behaviour can be recreated / verified by : # semodule -s selinux-store-name -i sample.pp This instruction creates an entry of selinux-store-name and creates policy.32 file there . ==> Instead , here i wanted the file to be created under /tmp/custom-rootfs/etc/selinux & not /etc/selinux d) Currently trying to look at the file from where this instruction is executed & then check if somehow semodule can be made to use /tmp/custom-rootfs/etc/selinux over default /etc/selinux Thanks for sharing the info w.r.t your use case , will look at them . They can help me to understand the process in a better way. Please feel free to revert if any further details are required or if i am missing any aspect . Thanks , Ashish On Tue, Dec 8, 2020 at 9:06 PM Chris PeBenito <pebenito@ieee.org> wrote: > > (SELinux main mail list to BCC since this is a refpolicy question.) > > On 12/7/20 8:26 AM, Ashish Mishra wrote: > > 4) Further debugging I can confirm that the final binary (policy.31) > > seems to be > > using HARD-CODDED location of /etc/selinux instead of what is > > being passed as DESTDIR. > > The policy.31 is created not at custom-embedded-rootfs location. > > > > Due to this : > > - policy.31 is created in /etc/selinux/refpolicy/policy/policy.31 > > instead of what i was expecting at > > /tmp/custom-embedded-rootfs/etc/selinux/refpolicy/policy/policy.31 > > as DESTDIR=${ROOT} and i do get *.pp at the expected > > location of /tmp/custom-embedded-rootfs/etc/selinux/refpolicy/src/policy > > ${MAKE} -C ${ROOT}/etc/selinux/${PKG}/src/policy load > > DESTDIR=${ROOT} > > > I can't reproduce your issue. I use monolithic policy regularly in the way > you're using it. > > Here's the Makefile variables: > > From Makefile: > topdir := $(DESTDIR)/etc/selinux > installdir := $(topdir)/$(strip $(NAME)) > policypath := $(installdir)/policy > > From Rules.monolithic: > loadpath = $(policypath)/$(notdir $(polver)) > > $(notdir $(polver)) is "policy.31" and NAME is what you have in build.conf, e.g. > "refopolicy". > > > Then the install target for monolithic looks like this (with "echo"s removed): > > $(loadpath): $(policy_conf) > @$(INSTALL) -d -m 0755 $(@D) > $(verbose) $(CHECKPOLICY) -U $(UNK_PERMS) $^ -o $@ > > -- > Chris PeBenito ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: How is policy.31 created from modules under /usr/share/selinux 2020-12-08 15:58 ` Ashish Mishra @ 2020-12-09 9:53 ` Richard Haines 2020-12-09 14:12 ` Ashish Mishra 0 siblings, 1 reply; 17+ messages in thread From: Richard Haines @ 2020-12-09 9:53 UTC (permalink / raw) To: Ashish Mishra, Chris PeBenito; +Cc: selinux-refpolicy, Paul Moore On Tue, 2020-12-08 at 21:28 +0530, Ashish Mishra wrote: > Hi Chris , > > Continuing on the inputs Richard shared , I was able to zero down to > the problem. > To recreate , step can be directly tested by command mentioned in > step-c > > a) I am having custom-rootfs under which I am trying to get the > refpolicy installed. > > b) By using make load DESTDIR=/tmp/custom-rootfs , the setup reaches > to state where > # semodule -s refpolicy -i NAME-OF-MODULE is triggered for every > module under /tmp/custom-rootfs/usr/share/selinux/refpolicy > ==> This semodule behavior is causing the problem. > > c) By default semodule install the file under /etc/selinux of HOST > system rather than /tmp/custom-rootfs/etc/selinux > This behaviour can be recreated / verified by : > # semodule -s selinux-store-name -i sample.pp > This instruction creates an entry of selinux-store-name and > creates policy.32 file there . > ==> Instead , here i wanted the file to be created under > /tmp/custom-rootfs/etc/selinux & not /etc/selinux > > d) Currently trying to look at the file from where this instruction > is > executed & then check if > somehow semodule can be made to use /tmp/custom- > rootfs/etc/selinux > over default /etc/selinux > > Thanks for sharing the info w.r.t your use case , will look at them . > They can help me to understand the process in a better way. > > Please feel free to revert if any further details are required or if > i > am missing any aspect . I've been AWOL for a few days so just picking up on this query. I can now see the problem as described. If you generate a monolithic policy (MONOLITHIC=y) using sequence below it all works. However if you build a modular policy (MONOLITHIC=n), then semodule will install the final binary policy in /etc/selinux/refpolicy/policy regardless of DESTDIR. I guess semodule should obey orders?? export DESTDIR=/tmp/custom-embedded-rootfs mkdir refpol cd refpol git clone https://github.com/SELinuxProject/refpolicy.git Edit build.conf file to requirements (e.g. NAME = refpolicy etc.) make install-src cd /tmp/custom-embedded-rootfs/etc/selinux/refpolicy/src/policy make conf make load > > Thanks , > Ashish > > > > > > > > > > > > > > > > > > On Tue, Dec 8, 2020 at 9:06 PM Chris PeBenito <pebenito@ieee.org> > wrote: > > > > (SELinux main mail list to BCC since this is a refpolicy question.) > > > > On 12/7/20 8:26 AM, Ashish Mishra wrote: > > > 4) Further debugging I can confirm that the final binary > > > (policy.31) > > > seems to be > > > using HARD-CODDED location of /etc/selinux instead of what > > > is > > > being passed as DESTDIR. > > > The policy.31 is created not at custom-embedded-rootfs > > > location. > > > > > > Due to this : > > > - policy.31 is created in > > > /etc/selinux/refpolicy/policy/policy.31 > > > instead of what i was expecting at > > > /tmp/custom-embedded- > > > rootfs/etc/selinux/refpolicy/policy/policy.31 > > > as DESTDIR=${ROOT} and i do get *.pp at the expected > > > location of /tmp/custom-embedded- > > > rootfs/etc/selinux/refpolicy/src/policy > > > ${MAKE} -C > > > ${ROOT}/etc/selinux/${PKG}/src/policy load > > > DESTDIR=${ROOT} > > > > > > I can't reproduce your issue. I use monolithic policy regularly in > > the way > > you're using it. > > > > Here's the Makefile variables: > > > > From Makefile: > > topdir := $(DESTDIR)/etc/selinux > > installdir := $(topdir)/$(strip $(NAME)) > > policypath := $(installdir)/policy > > > > From Rules.monolithic: > > loadpath = $(policypath)/$(notdir $(polver)) > > > > $(notdir $(polver)) is "policy.31" and NAME is what you have in > > build.conf, e.g. > > "refopolicy". > > > > > > Then the install target for monolithic looks like this (with > > "echo"s removed): > > > > $(loadpath): $(policy_conf) > > @$(INSTALL) -d -m 0755 $(@D) > > $(verbose) $(CHECKPOLICY) -U $(UNK_PERMS) $^ -o $@ > > > > -- > > Chris PeBenito ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: How is policy.31 created from modules under /usr/share/selinux 2020-12-09 9:53 ` Richard Haines @ 2020-12-09 14:12 ` Ashish Mishra 2020-12-09 14:37 ` Richard Haines 0 siblings, 1 reply; 17+ messages in thread From: Ashish Mishra @ 2020-12-09 14:12 UTC (permalink / raw) To: Richard Haines; +Cc: Chris PeBenito, selinux-refpolicy, Paul Moore Hi Richard , Will check with the monolithic policy to check the behavior of the semodule as you suggested. Is there any similar approach / workaround for modular one? Thanks for pointers again. Ashish On Wed, Dec 9, 2020 at 3:23 PM Richard Haines <richard_c_haines@btinternet.com> wrote: > > On Tue, 2020-12-08 at 21:28 +0530, Ashish Mishra wrote: > > Hi Chris , > > > > Continuing on the inputs Richard shared , I was able to zero down to > > the problem. > > To recreate , step can be directly tested by command mentioned in > > step-c > > > > a) I am having custom-rootfs under which I am trying to get the > > refpolicy installed. > > > > b) By using make load DESTDIR=/tmp/custom-rootfs , the setup reaches > > to state where > > # semodule -s refpolicy -i NAME-OF-MODULE is triggered for every > > module under /tmp/custom-rootfs/usr/share/selinux/refpolicy > > ==> This semodule behavior is causing the problem. > > > > c) By default semodule install the file under /etc/selinux of HOST > > system rather than /tmp/custom-rootfs/etc/selinux > > This behaviour can be recreated / verified by : > > # semodule -s selinux-store-name -i sample.pp > > This instruction creates an entry of selinux-store-name and > > creates policy.32 file there . > > ==> Instead , here i wanted the file to be created under > > /tmp/custom-rootfs/etc/selinux & not /etc/selinux > > > > d) Currently trying to look at the file from where this instruction > > is > > executed & then check if > > somehow semodule can be made to use /tmp/custom- > > rootfs/etc/selinux > > over default /etc/selinux > > > > Thanks for sharing the info w.r.t your use case , will look at them . > > They can help me to understand the process in a better way. > > > > Please feel free to revert if any further details are required or if > > i > > am missing any aspect . > > I've been AWOL for a few days so just picking up on this query. I can > now see the problem as described. If you generate a monolithic policy > (MONOLITHIC=y) using sequence below it all works. However if you build > a modular policy (MONOLITHIC=n), then semodule will install the final > binary policy in /etc/selinux/refpolicy/policy regardless of DESTDIR. > > I guess semodule should obey orders?? > > export DESTDIR=/tmp/custom-embedded-rootfs > mkdir refpol > cd refpol > git clone https://github.com/SELinuxProject/refpolicy.git > Edit build.conf file to requirements (e.g. NAME = refpolicy etc.) > make install-src > cd /tmp/custom-embedded-rootfs/etc/selinux/refpolicy/src/policy > make conf > make load > > > > > > > > Thanks , > > Ashish > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Tue, Dec 8, 2020 at 9:06 PM Chris PeBenito <pebenito@ieee.org> > > wrote: > > > > > > (SELinux main mail list to BCC since this is a refpolicy question.) > > > > > > On 12/7/20 8:26 AM, Ashish Mishra wrote: > > > > 4) Further debugging I can confirm that the final binary > > > > (policy.31) > > > > seems to be > > > > using HARD-CODDED location of /etc/selinux instead of what > > > > is > > > > being passed as DESTDIR. > > > > The policy.31 is created not at custom-embedded-rootfs > > > > location. > > > > > > > > Due to this : > > > > - policy.31 is created in > > > > /etc/selinux/refpolicy/policy/policy.31 > > > > instead of what i was expecting at > > > > /tmp/custom-embedded- > > > > rootfs/etc/selinux/refpolicy/policy/policy.31 > > > > as DESTDIR=${ROOT} and i do get *.pp at the expected > > > > location of /tmp/custom-embedded- > > > > rootfs/etc/selinux/refpolicy/src/policy > > > > ${MAKE} -C > > > > ${ROOT}/etc/selinux/${PKG}/src/policy load > > > > DESTDIR=${ROOT} > > > > > > > > > I can't reproduce your issue. I use monolithic policy regularly in > > > the way > > > you're using it. > > > > > > Here's the Makefile variables: > > > > > > From Makefile: > > > topdir := $(DESTDIR)/etc/selinux > > > installdir := $(topdir)/$(strip $(NAME)) > > > policypath := $(installdir)/policy > > > > > > From Rules.monolithic: > > > loadpath = $(policypath)/$(notdir $(polver)) > > > > > > $(notdir $(polver)) is "policy.31" and NAME is what you have in > > > build.conf, e.g. > > > "refopolicy". > > > > > > > > > Then the install target for monolithic looks like this (with > > > "echo"s removed): > > > > > > $(loadpath): $(policy_conf) > > > @$(INSTALL) -d -m 0755 $(@D) > > > $(verbose) $(CHECKPOLICY) -U $(UNK_PERMS) $^ -o $@ > > > > > > -- > > > Chris PeBenito > > ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: How is policy.31 created from modules under /usr/share/selinux 2020-12-09 14:12 ` Ashish Mishra @ 2020-12-09 14:37 ` Richard Haines 2020-12-09 15:07 ` Steve Lawrence 0 siblings, 1 reply; 17+ messages in thread From: Richard Haines @ 2020-12-09 14:37 UTC (permalink / raw) To: Ashish Mishra, Chris PeBenito; +Cc: selinux-refpolicy, Paul Moore On Wed, 2020-12-09 at 19:42 +0530, Ashish Mishra wrote: > Hi Richard , > > Will check with the monolithic policy to check the behavior of the > semodule as you suggested. > > Is there any similar approach / workaround for modular one? I've only had a quick look at code and I could see two ways to fix: 1) Modify the Rules.modular part of the make file to move or copy the policy and file contexts set of files over to $DESTDIR. 2) Modify semodule/semanage to handle $DESTDIR. I think this would be more difficult to fix as lots go on here. Maybe Chris could comment. > > Thanks for pointers again. > > Ashish > > > > > > On Wed, Dec 9, 2020 at 3:23 PM Richard Haines > <richard_c_haines@btinternet.com> wrote: > > > > On Tue, 2020-12-08 at 21:28 +0530, Ashish Mishra wrote: > > > Hi Chris , > > > > > > Continuing on the inputs Richard shared , I was able to zero down > > > to > > > the problem. > > > To recreate , step can be directly tested by command mentioned > > > in > > > step-c > > > > > > a) I am having custom-rootfs under which I am trying to get the > > > refpolicy installed. > > > > > > b) By using make load DESTDIR=/tmp/custom-rootfs , the setup > > > reaches > > > to state where > > > # semodule -s refpolicy -i NAME-OF-MODULE is triggered for > > > every > > > module under /tmp/custom-rootfs/usr/share/selinux/refpolicy > > > ==> This semodule behavior is causing the problem. > > > > > > c) By default semodule install the file under /etc/selinux of > > > HOST > > > system rather than /tmp/custom-rootfs/etc/selinux > > > This behaviour can be recreated / verified by : > > > # semodule -s selinux-store-name -i sample.pp > > > This instruction creates an entry of selinux-store-name and > > > creates policy.32 file there . > > > ==> Instead , here i wanted the file to be created under > > > /tmp/custom-rootfs/etc/selinux & not /etc/selinux > > > > > > d) Currently trying to look at the file from where this > > > instruction > > > is > > > executed & then check if > > > somehow semodule can be made to use /tmp/custom- > > > rootfs/etc/selinux > > > over default /etc/selinux > > > > > > Thanks for sharing the info w.r.t your use case , will look at > > > them . > > > They can help me to understand the process in a better way. > > > > > > Please feel free to revert if any further details are required or > > > if > > > i > > > am missing any aspect . > > > > I've been AWOL for a few days so just picking up on this query. I > > can > > now see the problem as described. If you generate a monolithic > > policy > > (MONOLITHIC=y) using sequence below it all works. However if you > > build > > a modular policy (MONOLITHIC=n), then semodule will install the > > final > > binary policy in /etc/selinux/refpolicy/policy regardless of > > DESTDIR. > > > > I guess semodule should obey orders?? > > > > export DESTDIR=/tmp/custom-embedded-rootfs > > mkdir refpol > > cd refpol > > git clone https://github.com/SELinuxProject/refpolicy.git > > Edit build.conf file to requirements (e.g. NAME = refpolicy etc.) > > make install-src > > cd /tmp/custom-embedded-rootfs/etc/selinux/refpolicy/src/policy > > make conf > > make load > > > > > > > > > > > > > > Thanks , > > > Ashish > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Tue, Dec 8, 2020 at 9:06 PM Chris PeBenito <pebenito@ieee.org> > > > wrote: > > > > > > > > (SELinux main mail list to BCC since this is a refpolicy > > > > question.) > > > > > > > > On 12/7/20 8:26 AM, Ashish Mishra wrote: > > > > > 4) Further debugging I can confirm that the final binary > > > > > (policy.31) > > > > > seems to be > > > > > using HARD-CODDED location of /etc/selinux instead of > > > > > what > > > > > is > > > > > being passed as DESTDIR. > > > > > The policy.31 is created not at custom-embedded-rootfs > > > > > location. > > > > > > > > > > Due to this : > > > > > - policy.31 is created in > > > > > /etc/selinux/refpolicy/policy/policy.31 > > > > > instead of what i was expecting at > > > > > /tmp/custom-embedded- > > > > > rootfs/etc/selinux/refpolicy/policy/policy.31 > > > > > as DESTDIR=${ROOT} and i do get *.pp at the > > > > > expected > > > > > location of /tmp/custom-embedded- > > > > > rootfs/etc/selinux/refpolicy/src/policy > > > > > ${MAKE} -C > > > > > ${ROOT}/etc/selinux/${PKG}/src/policy load > > > > > DESTDIR=${ROOT} > > > > > > > > > > > > I can't reproduce your issue. I use monolithic policy > > > > regularly in > > > > the way > > > > you're using it. > > > > > > > > Here's the Makefile variables: > > > > > > > > From Makefile: > > > > topdir := $(DESTDIR)/etc/selinux > > > > installdir := $(topdir)/$(strip $(NAME)) > > > > policypath := $(installdir)/policy > > > > > > > > From Rules.monolithic: > > > > loadpath = $(policypath)/$(notdir $(polver)) > > > > > > > > $(notdir $(polver)) is "policy.31" and NAME is what you have in > > > > build.conf, e.g. > > > > "refopolicy". > > > > > > > > > > > > Then the install target for monolithic looks like this (with > > > > "echo"s removed): > > > > > > > > $(loadpath): $(policy_conf) > > > > @$(INSTALL) -d -m 0755 $(@D) > > > > $(verbose) $(CHECKPOLICY) -U $(UNK_PERMS) $^ -o $@ > > > > > > > > -- > > > > Chris PeBenito > > > > ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: How is policy.31 created from modules under /usr/share/selinux 2020-12-09 14:37 ` Richard Haines @ 2020-12-09 15:07 ` Steve Lawrence 2020-12-09 16:13 ` Richard Haines 0 siblings, 1 reply; 17+ messages in thread From: Steve Lawrence @ 2020-12-09 15:07 UTC (permalink / raw) To: Richard Haines, Ashish Mishra, Chris PeBenito Cc: selinux-refpolicy, Paul Moore On 12/9/20 9:37 AM, Richard Haines wrote: > On Wed, 2020-12-09 at 19:42 +0530, Ashish Mishra wrote: >> Hi Richard , >> >> Will check with the monolithic policy to check the behavior of the >> semodule as you suggested. >> >> Is there any similar approach / workaround for modular one? > > I've only had a quick look at code and I could see two ways to fix: > 1) Modify the Rules.modular part of the make file to move or copy the > policy and file contexts set of files over to $DESTDIR. > 2) Modify semodule/semanage to handle $DESTDIR. I think this would be > more difficult to fix as lots go on here. > semodule does accept the -p option to change the root, so we could feed DESTDIR into that. For example, a minimally tested patch: diff --git a/Rules.modular b/Rules.modular index d6224e95..64d953dc 100644 --- a/Rules.modular +++ b/Rules.modular @@ -55,8 +55,8 @@ load: $(instpkg) $(appfiles) # make sure two directories exist since they are not # created by semanage @echo "Loading configured modules." - @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath)) - $(verbose) $(SEMODULE) -s $(NAME) -i $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod)) + @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath)) $(DESTDIR)/var/lib/selinux + $(verbose) $(SEMODULE) -p $(DESTDIR)/ -s $(NAME) -i $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod)) ######################################## # Note that we need to create $(DESTDIR)/var/lib/selinux since semanage expects that to already exist. Though, I would suggest that maybe the "install" target should run the above semodule command with the --noreload option to install all files and build the policy binary but not actually load it into the kernel. Then make load just becomes something like semodule -p $(DESTDIR)/ --reload Makes a clear distinction between installing everything that's needed vs actually loading the policy into the kernel. Happy to create a patch if that approach makes sense. ^ permalink raw reply related [flat|nested] 17+ messages in thread
* Re: How is policy.31 created from modules under /usr/share/selinux 2020-12-09 15:07 ` Steve Lawrence @ 2020-12-09 16:13 ` Richard Haines 2020-12-09 22:02 ` Chris PeBenito 0 siblings, 1 reply; 17+ messages in thread From: Richard Haines @ 2020-12-09 16:13 UTC (permalink / raw) To: Steve Lawrence, Ashish Mishra, Chris PeBenito Cc: selinux-refpolicy, Paul Moore On Wed, 2020-12-09 at 10:07 -0500, Steve Lawrence wrote: > > On 12/9/20 9:37 AM, Richard Haines wrote: > > On Wed, 2020-12-09 at 19:42 +0530, Ashish Mishra wrote: > > > Hi Richard , > > > > > > Will check with the monolithic policy to check the behavior of > > > the > > > semodule as you suggested. > > > > > > Is there any similar approach / workaround for modular one? > > > > I've only had a quick look at code and I could see two ways to fix: > > 1) Modify the Rules.modular part of the make file to move or copy > > the > > policy and file contexts set of files over to $DESTDIR. > > 2) Modify semodule/semanage to handle $DESTDIR. I think this would > > be > > more difficult to fix as lots go on here. > > > > semodule does accept the -p option to change the root, so we could > feed > DESTDIR into that. For example, a minimally tested patch: > > diff --git a/Rules.modular b/Rules.modular > index d6224e95..64d953dc 100644 > --- a/Rules.modular > +++ b/Rules.modular > @@ -55,8 +55,8 @@ load: $(instpkg) $(appfiles) > # make sure two directories exist since they are not > # created by semanage > @echo "Loading configured modules." > - @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath)) > - $(verbose) $(SEMODULE) -s $(NAME) -i $(modpkgdir)/$(notdir > $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod)) > + @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath)) > $(DESTDIR)/var/lib/selinux > + $(verbose) $(SEMODULE) -p $(DESTDIR)/ -s $(NAME) -i > $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i > $(modpkgdir)/$(mod)) > > ######################################## > # > > > Note that we need to create $(DESTDIR)/var/lib/selinux since semanage > expects that to already exist. > > Though, I would suggest that maybe the "install" target should run > the > above semodule command with the --noreload option to install all > files > and build the policy binary but not actually load it into the kernel. > Then make load just becomes something like > > semodule -p $(DESTDIR)/ --reload > > Makes a clear distinction between installing everything that's needed > vs actually loading the policy into the kernel. Happy to create a > patch > if that approach makes sense. Thanks Steve, that worked for me, however I guess Chris needs to comment as the $(DESTDIR)/var/lib/selinux needs to be generated and maybe a clarification comment in the README. Also need comment regarding the use of --reload/--noreload. ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: How is policy.31 created from modules under /usr/share/selinux 2020-12-09 16:13 ` Richard Haines @ 2020-12-09 22:02 ` Chris PeBenito 2020-12-13 17:06 ` Ashish Mishra 0 siblings, 1 reply; 17+ messages in thread From: Chris PeBenito @ 2020-12-09 22:02 UTC (permalink / raw) To: Richard Haines, Steve Lawrence, Ashish Mishra Cc: selinux-refpolicy, Paul Moore On 12/9/20 11:13 AM, Richard Haines wrote: > On Wed, 2020-12-09 at 10:07 -0500, Steve Lawrence wrote: >> >> On 12/9/20 9:37 AM, Richard Haines wrote: >>> On Wed, 2020-12-09 at 19:42 +0530, Ashish Mishra wrote: >>>> Hi Richard , >>>> >>>> Will check with the monolithic policy to check the behavior of >>>> the >>>> semodule as you suggested. >>>> >>>> Is there any similar approach / workaround for modular one? >>> >>> I've only had a quick look at code and I could see two ways to fix: >>> 1) Modify the Rules.modular part of the make file to move or copy >>> the >>> policy and file contexts set of files over to $DESTDIR. >>> 2) Modify semodule/semanage to handle $DESTDIR. I think this would >>> be >>> more difficult to fix as lots go on here. >>> >> >> semodule does accept the -p option to change the root, so we could >> feed >> DESTDIR into that. For example, a minimally tested patch: >> >> diff --git a/Rules.modular b/Rules.modular >> index d6224e95..64d953dc 100644 >> --- a/Rules.modular >> +++ b/Rules.modular >> @@ -55,8 +55,8 @@ load: $(instpkg) $(appfiles) >> # make sure two directories exist since they are not >> # created by semanage >> @echo "Loading configured modules." >> - @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath)) >> - $(verbose) $(SEMODULE) -s $(NAME) -i $(modpkgdir)/$(notdir >> $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod)) >> + @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath)) >> $(DESTDIR)/var/lib/selinux >> + $(verbose) $(SEMODULE) -p $(DESTDIR)/ -s $(NAME) -i >> $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i >> $(modpkgdir)/$(mod)) >> >> ######################################## >> # >> >> >> Note that we need to create $(DESTDIR)/var/lib/selinux since semanage >> expects that to already exist. >> >> Though, I would suggest that maybe the "install" target should run >> the >> above semodule command with the --noreload option to install all >> files >> and build the policy binary but not actually load it into the kernel. >> Then make load just becomes something like >> >> semodule -p $(DESTDIR)/ --reload >> >> Makes a clear distinction between installing everything that's needed >> vs actually loading the policy into the kernel. Happy to create a >> patch >> if that approach makes sense. > > Thanks Steve, that worked for me, however I guess Chris needs to > comment as the $(DESTDIR)/var/lib/selinux needs to be generated and > maybe a clarification comment in the README. Also need comment > regarding the use of --reload/--noreload. To my knowledge, the history is that semodule was only intended to run on the target system. If you wanted to precreate a policy you could semodule_link+semodule_expand like what is leveraged in the validate target. I'd take a patch that changes the Makefile behavior but would like some real testing first. -- Chris PeBenito ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: How is policy.31 created from modules under /usr/share/selinux 2020-12-09 22:02 ` Chris PeBenito @ 2020-12-13 17:06 ` Ashish Mishra 2020-12-14 15:16 ` Chris PeBenito 0 siblings, 1 reply; 17+ messages in thread From: Ashish Mishra @ 2020-12-13 17:06 UTC (permalink / raw) To: Chris PeBenito Cc: Richard Haines, Steve Lawrence, selinux-refpolicy, Paul Moore Hi Chris / Richard / Steve , I tried the suggested approach w.r.t Monolithic & also the patch suggested . It seems it's creating policy.31 under DESTDIR directories . a) Is there anything I can check specifically and share observations ? b) Any link where we have this thread available for future reference. I wanted to know if we have any archive which can be accessed like other community Something like https://lists.yoctoproject.org/g/poky/topics Thanks , Ashish On Thu, Dec 10, 2020 at 3:32 AM Chris PeBenito <pebenito@ieee.org> wrote: > > On 12/9/20 11:13 AM, Richard Haines wrote: > > On Wed, 2020-12-09 at 10:07 -0500, Steve Lawrence wrote: > >> > >> On 12/9/20 9:37 AM, Richard Haines wrote: > >>> On Wed, 2020-12-09 at 19:42 +0530, Ashish Mishra wrote: > >>>> Hi Richard , > >>>> > >>>> Will check with the monolithic policy to check the behavior of > >>>> the > >>>> semodule as you suggested. > >>>> > >>>> Is there any similar approach / workaround for modular one? > >>> > >>> I've only had a quick look at code and I could see two ways to fix: > >>> 1) Modify the Rules.modular part of the make file to move or copy > >>> the > >>> policy and file contexts set of files over to $DESTDIR. > >>> 2) Modify semodule/semanage to handle $DESTDIR. I think this would > >>> be > >>> more difficult to fix as lots go on here. > >>> > >> > >> semodule does accept the -p option to change the root, so we could > >> feed > >> DESTDIR into that. For example, a minimally tested patch: > >> > >> diff --git a/Rules.modular b/Rules.modular > >> index d6224e95..64d953dc 100644 > >> --- a/Rules.modular > >> +++ b/Rules.modular > >> @@ -55,8 +55,8 @@ load: $(instpkg) $(appfiles) > >> # make sure two directories exist since they are not > >> # created by semanage > >> @echo "Loading configured modules." > >> - @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath)) > >> - $(verbose) $(SEMODULE) -s $(NAME) -i $(modpkgdir)/$(notdir > >> $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod)) > >> + @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath)) > >> $(DESTDIR)/var/lib/selinux > >> + $(verbose) $(SEMODULE) -p $(DESTDIR)/ -s $(NAME) -i > >> $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i > >> $(modpkgdir)/$(mod)) > >> > >> ######################################## > >> # > >> > >> > >> Note that we need to create $(DESTDIR)/var/lib/selinux since semanage > >> expects that to already exist. > >> > >> Though, I would suggest that maybe the "install" target should run > >> the > >> above semodule command with the --noreload option to install all > >> files > >> and build the policy binary but not actually load it into the kernel. > >> Then make load just becomes something like > >> > >> semodule -p $(DESTDIR)/ --reload > >> > >> Makes a clear distinction between installing everything that's needed > >> vs actually loading the policy into the kernel. Happy to create a > >> patch > >> if that approach makes sense. > > > > Thanks Steve, that worked for me, however I guess Chris needs to > > comment as the $(DESTDIR)/var/lib/selinux needs to be generated and > > maybe a clarification comment in the README. Also need comment > > regarding the use of --reload/--noreload. > > To my knowledge, the history is that semodule was only intended to run on the > target system. If you wanted to precreate a policy you could > semodule_link+semodule_expand like what is leveraged in the validate target. > > I'd take a patch that changes the Makefile behavior but would like some real > testing first. > > -- > Chris PeBenito ^ permalink raw reply [flat|nested] 17+ messages in thread
* Re: How is policy.31 created from modules under /usr/share/selinux 2020-12-13 17:06 ` Ashish Mishra @ 2020-12-14 15:16 ` Chris PeBenito 0 siblings, 0 replies; 17+ messages in thread From: Chris PeBenito @ 2020-12-14 15:16 UTC (permalink / raw) To: Ashish Mishra Cc: Richard Haines, Steve Lawrence, selinux-refpolicy, Paul Moore On 12/13/20 12:06 PM, Ashish Mishra wrote: > Hi Chris / Richard / Steve , > > I tried the suggested approach w.r.t Monolithic & also the patch suggested . > It seems it's creating policy.31 under DESTDIR directories . > > a) Is there anything I can check specifically and share observations ? I don't understand what you're asking. > b) Any link where we have this thread available for future reference. > I wanted to know if we have any archive which can be accessed like > other community > Something like https://lists.yoctoproject.org/g/poky/topics The mail list archive is here: https://lore.kernel.org/selinux-refpolicy/ > On Thu, Dec 10, 2020 at 3:32 AM Chris PeBenito <pebenito@ieee.org> wrote: >> >> On 12/9/20 11:13 AM, Richard Haines wrote: >>> On Wed, 2020-12-09 at 10:07 -0500, Steve Lawrence wrote: >>>> >>>> On 12/9/20 9:37 AM, Richard Haines wrote: >>>>> On Wed, 2020-12-09 at 19:42 +0530, Ashish Mishra wrote: >>>>>> Hi Richard , >>>>>> >>>>>> Will check with the monolithic policy to check the behavior of >>>>>> the >>>>>> semodule as you suggested. >>>>>> >>>>>> Is there any similar approach / workaround for modular one? >>>>> >>>>> I've only had a quick look at code and I could see two ways to fix: >>>>> 1) Modify the Rules.modular part of the make file to move or copy >>>>> the >>>>> policy and file contexts set of files over to $DESTDIR. >>>>> 2) Modify semodule/semanage to handle $DESTDIR. I think this would >>>>> be >>>>> more difficult to fix as lots go on here. >>>>> >>>> >>>> semodule does accept the -p option to change the root, so we could >>>> feed >>>> DESTDIR into that. For example, a minimally tested patch: >>>> >>>> diff --git a/Rules.modular b/Rules.modular >>>> index d6224e95..64d953dc 100644 >>>> --- a/Rules.modular >>>> +++ b/Rules.modular >>>> @@ -55,8 +55,8 @@ load: $(instpkg) $(appfiles) >>>> # make sure two directories exist since they are not >>>> # created by semanage >>>> @echo "Loading configured modules." >>>> - @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath)) >>>> - $(verbose) $(SEMODULE) -s $(NAME) -i $(modpkgdir)/$(notdir >>>> $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod)) >>>> + @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath)) >>>> $(DESTDIR)/var/lib/selinux >>>> + $(verbose) $(SEMODULE) -p $(DESTDIR)/ -s $(NAME) -i >>>> $(modpkgdir)/$(notdir $(base_pkg)) $(foreach mod,$(mod_pkgs),-i >>>> $(modpkgdir)/$(mod)) >>>> >>>> ######################################## >>>> # >>>> >>>> >>>> Note that we need to create $(DESTDIR)/var/lib/selinux since semanage >>>> expects that to already exist. >>>> >>>> Though, I would suggest that maybe the "install" target should run >>>> the >>>> above semodule command with the --noreload option to install all >>>> files >>>> and build the policy binary but not actually load it into the kernel. >>>> Then make load just becomes something like >>>> >>>> semodule -p $(DESTDIR)/ --reload >>>> >>>> Makes a clear distinction between installing everything that's needed >>>> vs actually loading the policy into the kernel. Happy to create a >>>> patch >>>> if that approach makes sense. >>> >>> Thanks Steve, that worked for me, however I guess Chris needs to >>> comment as the $(DESTDIR)/var/lib/selinux needs to be generated and >>> maybe a clarification comment in the README. Also need comment >>> regarding the use of --reload/--noreload. >> >> To my knowledge, the history is that semodule was only intended to run on the >> target system. If you wanted to precreate a policy you could >> semodule_link+semodule_expand like what is leveraged in the validate target. >> >> I'd take a patch that changes the Makefile behavior but would like some real >> testing first. >> >> -- >> Chris PeBenito -- Chris PeBenito ^ permalink raw reply [flat|nested] 17+ messages in thread
end of thread, other threads:[~2020-12-18 8:24 UTC | newest] Thread overview: 17+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-12-05 19:19 How is policy.31 created from modules under /usr/share/selinux Ashish Mishra 2020-12-06 15:29 ` Richard Haines 2020-12-06 16:30 ` Ashish Mishra 2020-12-06 17:15 ` Richard Haines 2020-12-07 1:21 ` Ashish Mishra 2020-12-07 12:39 ` Richard Haines 2020-12-07 13:26 ` Ashish Mishra 2020-12-08 15:36 ` Chris PeBenito 2020-12-08 15:58 ` Ashish Mishra 2020-12-09 9:53 ` Richard Haines 2020-12-09 14:12 ` Ashish Mishra 2020-12-09 14:37 ` Richard Haines 2020-12-09 15:07 ` Steve Lawrence 2020-12-09 16:13 ` Richard Haines 2020-12-09 22:02 ` Chris PeBenito 2020-12-13 17:06 ` Ashish Mishra 2020-12-14 15:16 ` Chris PeBenito
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).