"semodule -p" accesses files on root filesystem #109
Comments
|
The problem here seems to be that libsemanage is using a libselinux interface, selinux_boolean_sub(), that internally accesses the "active" policy files, without having previously directed libselinux to an alternate root via selinux_set_policy_root(). Simplest fix would likely be to save, set, and restore the libselinux policy root around the selinux_boolean_sub() call. More complete approach would be to call selinux_set_policy_root() when setting the semanage root but this will require changes elsewhere to retain the ability to detect when we are installing to the active policy store. |
stephensmalley
added a commit
to stephensmalley/selinux
that referenced
this issue
Nov 6, 2018
As reported in SELinuxProject#109, semodule -p /path/to/policyroot -s minimum -n -B tries to use /etc/selinux/targeted/booleans.subs_dist. This is because it invokes the libselinux selinux_boolean_sub() interface, which uses the active/installed policy files rather than the libsemanage ones. To fix, we need to set the selinux policy root when either the semanage root or the semanage storename is set. When setting the semanage root, we need to prepend the semanage root to the selinux policy root. When setting the semanage storename, we need to replace the last component of the selinux policy root with the new storename. Test: strace semodule -p ~/policy-root -s minimum -n -B Before: openat(AT_FDCWD, "/etc/selinux/targeted/booleans.subs_dist", O_RDONLY|O_CLOEXEC) = 5 After: openat(AT_FDCWD, "/home/sds/policy-root/etc/selinux/minimum/booleans.subs_dist", O_RDONLY|O_CLOEXEC) = 5 Fixes SELinuxProject#109 Signed-off-by: Stephen Smalley <[email protected]>
|
See if the PR fixes your issue |
stephensmalley
added a commit
to stephensmalley/selinux
that referenced
this issue
Jan 7, 2019
As reported in SELinuxProject#109, semodule -p /path/to/policyroot -s minimum -n -B tries to use /etc/selinux/targeted/booleans.subs_dist. This is because it invokes the libselinux selinux_boolean_sub() interface, which uses the active/installed policy files rather than the libsemanage ones. Switch the selinux policy root around the selinux_boolean_sub() call to incorporate the semanage root as a prefix and to use the specified policy store as a suffix so that the correct booleans.subs_dist file (if any) is used. The underlying bug is that booleans.subs_dist is not itself managed via libsemanage. If it was managed and therefore lived within the policy store, then libsemanage could access the appropriate booleans.subs_dist file without using the libselinux interface at all, and thus would not need to modify the selinux policy root. Moving booleans.subs_dist to a managed file is deferred to a future change. Test: strace semodule -p ~/policy-root -s minimum -n -B Before: openat(AT_FDCWD, "/etc/selinux/targeted/booleans.subs_dist", O_RDONLY|O_CLOEXEC) = 5 After: openat(AT_FDCWD, "/home/sds/policy-root/etc/selinux/minimum/booleans.subs_dist", O_RDONLY|O_CLOEXEC) = 5 Fixes SELinuxProject#109 Signed-off-by: Stephen Smalley <[email protected]>
stephensmalley
added a commit
to stephensmalley/selinux
that referenced
this issue
Jan 8, 2019
As reported in SELinuxProject#109, semodule -p /path/to/policyroot -s minimum -n -B tries to use /etc/selinux/targeted/booleans.subs_dist. This is because it invokes the libselinux selinux_boolean_sub() interface, which uses the active/installed policy files rather than the libsemanage ones. Switch the selinux policy root around the selinux_boolean_sub() call to incorporate the semanage root as a prefix and to use the specified policy store as a suffix so that the correct booleans.subs_dist file (if any) is used. The underlying bug is that booleans.subs_dist is not itself managed via libsemanage. If it was managed and therefore lived within the policy store, then libsemanage could access the appropriate booleans.subs_dist file without using the libselinux interface at all, and thus would not need to modify the selinux policy root. Moving booleans.subs_dist to a managed file is deferred to a future change. Test: dnf install selinux-policy-minimum selinux-policy-targeted cd / && tar cf - etc/selinux var/lib/selinux | (cd ~/policy-root; tar xvpf -) strace semodule -p ~/policy-root -s minimum -n -B Before: openat(AT_FDCWD, "/etc/selinux/targeted/booleans.subs_dist", O_RDONLY|O_CLOEXEC) = 5 After: openat(AT_FDCWD, "/home/sds/policy-root/etc/selinux/minimum/booleans.subs_dist", O_RDONLY|O_CLOEXEC) = 5 Fixes SELinuxProject#109 Signed-off-by: Stephen Smalley <[email protected]>
bachradsusi
pushed a commit
to fedora-selinux/selinux
that referenced
this issue
Jan 21, 2019
As reported in #109, semodule -p /path/to/policyroot -s minimum -n -B tries to use /etc/selinux/targeted/booleans.subs_dist. This is because it invokes the libselinux selinux_boolean_sub() interface, which uses the active/installed policy files rather than the libsemanage ones. Switch the selinux policy root around the selinux_boolean_sub() call to incorporate the semanage root as a prefix and to use the specified policy store as a suffix so that the correct booleans.subs_dist file (if any) is used. The underlying bug is that booleans.subs_dist is not itself managed via libsemanage. If it was managed and therefore lived within the policy store, then libsemanage could access the appropriate booleans.subs_dist file without using the libselinux interface at all, and thus would not need to modify the selinux policy root. Moving booleans.subs_dist to a managed file is deferred to a future change. Test: dnf install selinux-policy-minimum selinux-policy-targeted cd / && tar cf - etc/selinux var/lib/selinux | (cd ~/policy-root; tar xvpf -) strace semodule -p ~/policy-root -s minimum -n -B Before: openat(AT_FDCWD, "/etc/selinux/targeted/booleans.subs_dist", O_RDONLY|O_CLOEXEC) = 5 After: openat(AT_FDCWD, "/home/sds/policy-root/etc/selinux/minimum/booleans.subs_dist", O_RDONLY|O_CLOEXEC) = 5 Fixes SELinuxProject/selinux#109 Signed-off-by: Stephen Smalley <[email protected]>
charleseb
pushed a commit
to MotorolaMobilityLLC/external-selinux
that referenced
this issue
Jan 21, 2020
As reported in #109, semodule -p /path/to/policyroot -s minimum -n -B tries to use /etc/selinux/targeted/booleans.subs_dist. This is because it invokes the libselinux selinux_boolean_sub() interface, which uses the active/installed policy files rather than the libsemanage ones. Switch the selinux policy root around the selinux_boolean_sub() call to incorporate the semanage root as a prefix and to use the specified policy store as a suffix so that the correct booleans.subs_dist file (if any) is used. The underlying bug is that booleans.subs_dist is not itself managed via libsemanage. If it was managed and therefore lived within the policy store, then libsemanage could access the appropriate booleans.subs_dist file without using the libselinux interface at all, and thus would not need to modify the selinux policy root. Moving booleans.subs_dist to a managed file is deferred to a future change. Test: dnf install selinux-policy-minimum selinux-policy-targeted cd / && tar cf - etc/selinux var/lib/selinux | (cd ~/policy-root; tar xvpf -) strace semodule -p ~/policy-root -s minimum -n -B Before: openat(AT_FDCWD, "/etc/selinux/targeted/booleans.subs_dist", O_RDONLY|O_CLOEXEC) = 5 After: openat(AT_FDCWD, "/home/sds/policy-root/etc/selinux/minimum/booleans.subs_dist", O_RDONLY|O_CLOEXEC) = 5 Fixes SELinuxProject/selinux#109 Signed-off-by: Stephen Smalley <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I want to try build offline an SELinux policy and prepared a filesystem like
Most operations work fine; e.g.
builds a (working) policy. But it appears, the
semodulestill accesses files on the rootfs. E.g. running it throughstraceshows:At least the last part seems to cause problems because substitution rules from host are applied to the offline policy. Here, it removes e.g.
allow_mount_anyfile=1from thebooleans.localfile because host configuration containswhich does not exist for the offline policy.
The text was updated successfully, but these errors were encountered: