-
Notifications
You must be signed in to change notification settings - Fork 344
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
When creating a policy with semodule when cross-compiling, utilities on the host are accessed. #195
Comments
A new semodule command-line option along with corresponding libsemanage support for changing the path prefix for the host utilities makes sense to me. However, be aware that load_policy should never be run at all in the cross-compile scenario and should already be suppressed via -n and sefcontext_compile output is now arch-dependent when using pcre2 (libselinux however recognize a mismatch and ignore the precompiled regexes if they do not match, or you can specify -r as an argument to omit them entirely as is done in Fedora's semanage.conf). |
Thanks for the information! I set up a new branch, and before I made a fool of myself and submit this to the mailing list, if it's not too much trouble could you take a look at my modifications? My C skills are rusty at best, but this does work and Valgrind doesn't show any leaks. Thanks so much! Adam |
Looks basically sane, just need to check error returns for asprintf() and semanage_set_host_utils() and deal with them appropriately. Post to [email protected] using git send-email or ask a maintainer to do so if you are unable. |
Thanks for the review! I can add those now and then post them to the mailing list. |
Are you still planning on updating this and submitting it? |
Hey! Sorry for the radio silence. I do plan to work on this, I have just been a bit busy at work. I am planning on going to FOSDEM next week and then working with the Buildroot team to hammer this out. |
Hello;
I am working on cleaning up the refpolicy package for the Buildroot project.
Currently, our refpolicy package only builds a monolithic policy, however, I would
like to add the possibility to build a modular policy.
In the context of Buildroot, there are three places where packages are installed:
When running
semodule -p output/target -s targeted -n -B
, semodule calls out to libsemanage and tries to open three utilities on the host filing system that are hardcoded:/sbin/load_policy
/sbin/setfiles
/sbin/sefcontext_compile
If these files do not exist on the host, then semodule will crash with a file not found error, even if these files do exist in output/host/sbin.
I am aware that I could set these paths in output/target/selinux/semanage.conf, however, this is not ideal because then the paths would either point to either two locations:
output/host/sbin which would then break during runtime on the target.
output/target/sbin which would then point to possibly files of the wrong architecture.
If I manually patch libsemanage/src/conf-parse.y and change the hardcoded paths to output/host/sbin then
semodule -p output/target -s targeted -n -B
works properly.I am not sure what the best way to proceed would be, so I wanted to ask the maintainers themselves.
My first idea is either an argparse value in semodule that allows someone to overwrite the host-utilities base directory.
My next idea would be much like the meson project and support a cross-compile.conf file of some sort of which libsemanage could look.
Any ideas?
Edit:
If anybody is interested in reproducing the error, I have a git project setup for this very issue:
Right now the refpolicy.mk file doesn't pick up on the policy files on first target_install, so after
make refpolicy
you will have to do the following:Sorry about that!
Centos7's base docker image doesn't come with selinux utilities, although I am positive this would also fail on Debian or Ubuntu as well.
This should reproduce the problem.
Thanks!
Adam
The text was updated successfully, but these errors were encountered: