Re: Alternative location of policy files

[Daniel J Walsh <dwalsh@redhat.com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

xing li wrote:
> 2008/12/27 xing li <lixing.1006@gmail.com>
> 
>> It's work was rearly done in the "/sbin/init"  until the last step of
>> system initialization, while the source
>> of "/sbin/init" is included in the sysvinit. and it finally invoked
>> "security_load_policy()" to load the binary
>> policy "policy.XX" to the kernel structure policydb.
>>
>> and i have confused by the question:
>> when and how the selinux label the all file system according
>> to "file_contexts"?
>> and i found the clue that when we "touch /.autorelabel",the system would
>> invoke
>> "fixfiles relabel" to relabel the file system. but i could't find the
>> relevant source code.
>> Maybt somebody has investigated that and could share infomation?
>>
>> 2008/12/27 Tim <timasyk@gmail.com>
>>
>> OK. I'm trying to trace Linux sources to find exact sequence of
>>> function calls for loading  SELinux policy into Linux kernel at boot
>>> time. And I've lost... to many calls to trace.
>>>
>>> Maybe somebody has that tracing already and can share information?
>>>
>>> Tim
>>>
>>> 2008/12/26 Justin P. Mattock <justinmattock@gmail.com>:
>>>  > I think, one of the main jobs
>>>> For libselinux is reading the
>>>> Policy, from it specefied location
>>>> And then mounting the selinuxfs.
>>>> Or vise versa mounting selinuxfs,
>>>> And then reading the policy. As
>>>> For changing the location, not
>>>> To sure what the code looks like,
>>>> Maybe it's just a few liners to
>>>> Do what you wanted.
>>>>
>>>> justin P. Mattock
>>>>
>>>>
>>>>
>>>> On Dec 25, 2008, at 5:36 AM, Tim <timasyk@gmail.com> wrote:
>>>>
>>>>> 2008/12/25 Justin P. Mattock <justinmattock@gmail.com>:
>>>>>> Justin P. Mattock wrote:
>>>>>>> Paul Howarth wrote:
>>>>>>>> Tim wrote:
>>>>>>>>> Hello all,
>>>>>>>>>
>>>>>>>>> I was wondering, how can I change default location of SELinux
>>> policy
>>>>>>>>> from /etc/selinux/_policyname_ to some other path?
>>>>>>>>> What source codes should be modified for that?
>>>>>>>>>
>>>>>>>>> The reason to do that are:
>>>>>>>>> - I want to work with loadable policy modules --> that requires
>>>>>>>>> /etc/selinux/_policyname_ directory to be writable.
>>>>>>>>> - limitation of my filesystem having /etc directory (it is
>>> read-only
>>>>>>>>> filesystem)
>>>>>>>>> - unfortunately, I can not mount /etc into some other writable
>>>>>>>>> filesystem
>>>>>>>> Perhaps you could mount /etc/selinux/_policyname_ rather than /etc
>>> from
>>>>>>>> a
>>>>>>>> writeable filesystem?
>>>>>>>>
>>>>>>>> Paul.
>>>>>>>> cy
>>>>>>>> --
>>>>>>>> This message was distributed to subscribers of the selinux mailing
>>>>>>>> list.
>>>>>>>> If you no longer wish to subscribe, send mail to
>>>>>>>> majordomo@tycho.nsa.gov
>>>>>>>> with
>>>>>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>>>>>
>>>>>>> This is confusing to me:
>>>>>>> it sounds like there not trying to mount
>>>>>>> SELinux, but have the policy load
>>>>>>> in a different location other than
>>>>>>> /etc/selinux/*
>>>>>>>
>>>>>>> regards;
>>>>>>>
>>>>>>> Justin P. Mattock
>>>>>>>
>>>>>>>
>>>>>> On second thought  from what  it  sounds,
>>>>>> to have SELinux be read in another location,
>>>>>> you would have to locate in
>>>>>> libselinux the location from where the library is
>>>>>> told to read the the policy, and simple just change the location,
>>>>>> but then you might have to change the kernel, all the libraries,
>>>>>> all apps, etc.. that read /etc/selinux/*
>>>>>> maybe a simple change of /etc/selinux/config
>>>>>> seems simpler. rather than going through
>>>>>> lines of code.
>>>>>> Anyways,
>>>>>> "Merry christmas"
>>>>>>
>>>>>>
>>>>>> regards;
>>>>>>
>>>>>> Justin P. Mattock
>>>>> You are right. I would like kernel to read policy just from different
>>>>> location.
>>>>>
>>>>> So options are as folowing:
>>>>> 1. Change libselinux sources and sources of all related apps + kernel.
>>>>> 2. Try to change /etc/selinux/config.
>>>>>
>>>>> Regarding second one - manuals on SELinux say that /etc/selinux/config
>>>>> contains name of policy to be loaded. And that name _policyname_ is a
>>>>> name of directory in /etc/selinux/_policyname_ having subdirectory
>>>>> policy with actual policy file.
>>>>>
>>>>> So, it seems only option #1 is the one to use.
>>>>>
>>>>> Does kernel use libselinux to read policy or it reads it directly from
>>>>> filesystem?
>>>>> Any other pitfalls?
>>>>>
>>>>> Tim
>>> --
>>> This message was distributed to subscribers of the selinux mailing list.
>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.govwith
>>> the words "unsubscribe selinux" without quotes as the message.
>>>
>>
> 
Everything uses libselinux to find the paths to policy.  So if you
wanted to change the location of where SELinux stores the policy you
would need to modify libselinux.  In the file src/selinux_config.c
you would modify

$ grep /etc/selinux src/selinux_config.c
#define SELINUXDIR "/etc/selinux/"

All of the other paths are relative to this.

I do not believe that we have hard coded this path in to any other user
tools.  If we have that is a bug.  I don't understand why you would want
to change this path, and would suggest that you use bind mounts or
remote mounts if you want these files to be located somewhere else.  You
would also need to maintain the file context if you do this.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklWDbUACgkQrlYvE4MpobMTDQCeJx6Te9XwJs48kzug2elDLqe3
IqIAoIYd6mC/jm3p/FkKYyIiijKME87A
=AXLC
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.