-
Notifications
You must be signed in to change notification settings - Fork 345
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"semodule -p" accesses files on root filesystem #109
Comments
The problem here seems to be that libsemanage is using a libselinux interface, selinux_boolean_sub(), that internally accesses the "active" policy files, without having previously directed libselinux to an alternate root via selinux_set_policy_root(). Simplest fix would likely be to save, set, and restore the libselinux policy root around the selinux_boolean_sub() call. More complete approach would be to call selinux_set_policy_root() when setting the semanage root but this will require changes elsewhere to retain the ability to detect when we are installing to the active policy store. |
As reported in SELinuxProject#109, semodule -p /path/to/policyroot -s minimum -n -B tries to use /etc/selinux/targeted/booleans.subs_dist. This is because it invokes the libselinux selinux_boolean_sub() interface, which uses the active/installed policy files rather than the libsemanage ones. To fix, we need to set the selinux policy root when either the semanage root or the semanage storename is set. When setting the semanage root, we need to prepend the semanage root to the selinux policy root. When setting the semanage storename, we need to replace the last component of the selinux policy root with the new storename. Test: strace semodule -p ~/policy-root -s minimum -n -B Before: openat(AT_FDCWD, "/etc/selinux/targeted/booleans.subs_dist", O_RDONLY|O_CLOEXEC) = 5 After: openat(AT_FDCWD, "/home/sds/policy-root/etc/selinux/minimum/booleans.subs_dist", O_RDONLY|O_CLOEXEC) = 5 Fixes SELinuxProject#109 Signed-off-by: Stephen Smalley <[email protected]>
See if the PR fixes your issue |
As reported in SELinuxProject#109, semodule -p /path/to/policyroot -s minimum -n -B tries to use /etc/selinux/targeted/booleans.subs_dist. This is because it invokes the libselinux selinux_boolean_sub() interface, which uses the active/installed policy files rather than the libsemanage ones. Switch the selinux policy root around the selinux_boolean_sub() call to incorporate the semanage root as a prefix and to use the specified policy store as a suffix so that the correct booleans.subs_dist file (if any) is used. The underlying bug is that booleans.subs_dist is not itself managed via libsemanage. If it was managed and therefore lived within the policy store, then libsemanage could access the appropriate booleans.subs_dist file without using the libselinux interface at all, and thus would not need to modify the selinux policy root. Moving booleans.subs_dist to a managed file is deferred to a future change. Test: strace semodule -p ~/policy-root -s minimum -n -B Before: openat(AT_FDCWD, "/etc/selinux/targeted/booleans.subs_dist", O_RDONLY|O_CLOEXEC) = 5 After: openat(AT_FDCWD, "/home/sds/policy-root/etc/selinux/minimum/booleans.subs_dist", O_RDONLY|O_CLOEXEC) = 5 Fixes SELinuxProject#109 Signed-off-by: Stephen Smalley <[email protected]>
As reported in SELinuxProject#109, semodule -p /path/to/policyroot -s minimum -n -B tries to use /etc/selinux/targeted/booleans.subs_dist. This is because it invokes the libselinux selinux_boolean_sub() interface, which uses the active/installed policy files rather than the libsemanage ones. Switch the selinux policy root around the selinux_boolean_sub() call to incorporate the semanage root as a prefix and to use the specified policy store as a suffix so that the correct booleans.subs_dist file (if any) is used. The underlying bug is that booleans.subs_dist is not itself managed via libsemanage. If it was managed and therefore lived within the policy store, then libsemanage could access the appropriate booleans.subs_dist file without using the libselinux interface at all, and thus would not need to modify the selinux policy root. Moving booleans.subs_dist to a managed file is deferred to a future change. Test: dnf install selinux-policy-minimum selinux-policy-targeted cd / && tar cf - etc/selinux var/lib/selinux | (cd ~/policy-root; tar xvpf -) strace semodule -p ~/policy-root -s minimum -n -B Before: openat(AT_FDCWD, "/etc/selinux/targeted/booleans.subs_dist", O_RDONLY|O_CLOEXEC) = 5 After: openat(AT_FDCWD, "/home/sds/policy-root/etc/selinux/minimum/booleans.subs_dist", O_RDONLY|O_CLOEXEC) = 5 Fixes SELinuxProject#109 Signed-off-by: Stephen Smalley <[email protected]>
As reported in #109, semodule -p /path/to/policyroot -s minimum -n -B tries to use /etc/selinux/targeted/booleans.subs_dist. This is because it invokes the libselinux selinux_boolean_sub() interface, which uses the active/installed policy files rather than the libsemanage ones. Switch the selinux policy root around the selinux_boolean_sub() call to incorporate the semanage root as a prefix and to use the specified policy store as a suffix so that the correct booleans.subs_dist file (if any) is used. The underlying bug is that booleans.subs_dist is not itself managed via libsemanage. If it was managed and therefore lived within the policy store, then libsemanage could access the appropriate booleans.subs_dist file without using the libselinux interface at all, and thus would not need to modify the selinux policy root. Moving booleans.subs_dist to a managed file is deferred to a future change. Test: dnf install selinux-policy-minimum selinux-policy-targeted cd / && tar cf - etc/selinux var/lib/selinux | (cd ~/policy-root; tar xvpf -) strace semodule -p ~/policy-root -s minimum -n -B Before: openat(AT_FDCWD, "/etc/selinux/targeted/booleans.subs_dist", O_RDONLY|O_CLOEXEC) = 5 After: openat(AT_FDCWD, "/home/sds/policy-root/etc/selinux/minimum/booleans.subs_dist", O_RDONLY|O_CLOEXEC) = 5 Fixes SELinuxProject/selinux#109 Signed-off-by: Stephen Smalley <[email protected]>
As reported in #109, semodule -p /path/to/policyroot -s minimum -n -B tries to use /etc/selinux/targeted/booleans.subs_dist. This is because it invokes the libselinux selinux_boolean_sub() interface, which uses the active/installed policy files rather than the libsemanage ones. Switch the selinux policy root around the selinux_boolean_sub() call to incorporate the semanage root as a prefix and to use the specified policy store as a suffix so that the correct booleans.subs_dist file (if any) is used. The underlying bug is that booleans.subs_dist is not itself managed via libsemanage. If it was managed and therefore lived within the policy store, then libsemanage could access the appropriate booleans.subs_dist file without using the libselinux interface at all, and thus would not need to modify the selinux policy root. Moving booleans.subs_dist to a managed file is deferred to a future change. Test: dnf install selinux-policy-minimum selinux-policy-targeted cd / && tar cf - etc/selinux var/lib/selinux | (cd ~/policy-root; tar xvpf -) strace semodule -p ~/policy-root -s minimum -n -B Before: openat(AT_FDCWD, "/etc/selinux/targeted/booleans.subs_dist", O_RDONLY|O_CLOEXEC) = 5 After: openat(AT_FDCWD, "/home/sds/policy-root/etc/selinux/minimum/booleans.subs_dist", O_RDONLY|O_CLOEXEC) = 5 Fixes SELinuxProject/selinux#109 Signed-off-by: Stephen Smalley <[email protected]>
I want to try build offline an SELinux policy and prepared a filesystem like
Most operations work fine; e.g.
builds a (working) policy. But it appears, the
semodule
still accesses files on the rootfs. E.g. running it throughstrace
shows:At least the last part seems to cause problems because substitution rules from host are applied to the offline policy. Here, it removes e.g.
allow_mount_anyfile=1
from thebooleans.local
file because host configuration containswhich does not exist for the offline policy.
The text was updated successfully, but these errors were encountered: