Alternative location of policy files

Alternative location of policy files

[Tim]

Hello all,

I was wondering, how can I change default location of SELinux policy
from /etc/selinux/_policyname_ to some other path?
What source codes should be modified for that?

The reason to do that are:
- I want to work with loadable policy modules --> that requires
/etc/selinux/_policyname_ directory to be writable.
- limitation of my filesystem having /etc directory (it is read-only filesystem)
- unfortunately, I can not mount /etc into some other writable filesystem

Kindest regards,
Tim

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Alternative location of policy files

[Justin P. Mattock]

Tim wrote:
> Hello all,
>
> I was wondering, how can I change default location of SELinux policy
> from /etc/selinux/_policyname_ to some other path?
> What source codes should be modified for that?
>
> The reason to do that are:
> - I want to work with loadable policy modules --> that requires
> /etc/selinux/_policyname_ directory to be writable.
> - limitation of my filesystem having /etc directory (it is read-only filesystem)
> - unfortunately, I can not mount /etc into some other writable filesystem
>
> Kindest regards,
> Tim
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>
>   
That's a first!!
not sure what to say..
maybe add
/somelocation in /etc/selinux/config
under SELINUXTYPE

regards;

Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Alternative location of policy files

[Justin P. Mattock]

Tim wrote:
> Hello all,
>
> I was wondering, how can I change default location of SELinux policy
> from /etc/selinux/_policyname_ to some other path?
> What source codes should be modified for that?
>
> The reason to do that are:
> - I want to work with loadable policy modules --> that requires
> /etc/selinux/_policyname_ directory to be writable.
> - limitation of my filesystem having /etc directory (it is read-only filesystem)
> - unfortunately, I can not mount /etc into some other writable filesystem
>
> Kindest regards,
> Tim
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>
>   
FWIW
SELinux reads the policy, then
enforces what it reads.
so if everything is (chmoded 0400) then you should be fine.

but could be wrong;  ;/

regards;

Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Alternative location of policy files

[Paul Howarth]

Tim wrote:
> Hello all,
> 
> I was wondering, how can I change default location of SELinux policy
> from /etc/selinux/_policyname_ to some other path?
> What source codes should be modified for that?
> 
> The reason to do that are:
> - I want to work with loadable policy modules --> that requires
> /etc/selinux/_policyname_ directory to be writable.
> - limitation of my filesystem having /etc directory (it is read-only filesystem)
> - unfortunately, I can not mount /etc into some other writable filesystem

Perhaps you could mount /etc/selinux/_policyname_ rather than /etc from 
a writeable filesystem?

Paul.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Alternative location of policy files

[Justin P. Mattock]

Paul Howarth wrote:
> Tim wrote:
>> Hello all,
>>
>> I was wondering, how can I change default location of SELinux policy
>> from /etc/selinux/_policyname_ to some other path?
>> What source codes should be modified for that?
>>
>> The reason to do that are:
>> - I want to work with loadable policy modules --> that requires
>> /etc/selinux/_policyname_ directory to be writable.
>> - limitation of my filesystem having /etc directory (it is read-only 
>> filesystem)
>> - unfortunately, I can not mount /etc into some other writable 
>> filesystem
>
> Perhaps you could mount /etc/selinux/_policyname_ rather than /etc 
> from a writeable filesystem?
>
> Paul.
> cy
> -- 
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to 
> majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>
This is confusing to me:
it sounds like there not trying to mount
SELinux, but have the policy load
in a different location other than
/etc/selinux/*

regards;

Justin P. Mattock


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Alternative location of policy files

[Justin P. Mattock]

Justin P. Mattock wrote:
> Paul Howarth wrote:
>> Tim wrote:
>>> Hello all,
>>>
>>> I was wondering, how can I change default location of SELinux policy
>>> from /etc/selinux/_policyname_ to some other path?
>>> What source codes should be modified for that?
>>>
>>> The reason to do that are:
>>> - I want to work with loadable policy modules --> that requires
>>> /etc/selinux/_policyname_ directory to be writable.
>>> - limitation of my filesystem having /etc directory (it is read-only 
>>> filesystem)
>>> - unfortunately, I can not mount /etc into some other writable 
>>> filesystem
>>
>> Perhaps you could mount /etc/selinux/_policyname_ rather than /etc 
>> from a writeable filesystem?
>>
>> Paul.
>> cy
>> -- 
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to 
>> majordomo@tycho.nsa.gov with
>> the words "unsubscribe selinux" without quotes as the message.
>>
> This is confusing to me:
> it sounds like there not trying to mount
> SELinux, but have the policy load
> in a different location other than
> /etc/selinux/*
>
> regards;
>
> Justin P. Mattock
>
>
On second thought  from what  it  sounds,
to have SELinux be read in another location,
you would have to locate in
libselinux the location from where the library is
told to read the the policy, and simple just change the location,
but then you might have to change the kernel, all the libraries,
all apps, etc.. that read /etc/selinux/*
maybe a simple change of /etc/selinux/config
seems simpler. rather than going through
lines of code.
Anyways,
"Merry christmas"


regards;

Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Alternative location of policy files

[Tim]

2008/12/25 Justin P. Mattock <justinmattock@gmail.com>:
> Justin P. Mattock wrote:
>>
>> Paul Howarth wrote:
>>>
>>> Tim wrote:
>>>>
>>>> Hello all,
>>>>
>>>> I was wondering, how can I change default location of SELinux policy
>>>> from /etc/selinux/_policyname_ to some other path?
>>>> What source codes should be modified for that?
>>>>
>>>> The reason to do that are:
>>>> - I want to work with loadable policy modules --> that requires
>>>> /etc/selinux/_policyname_ directory to be writable.
>>>> - limitation of my filesystem having /etc directory (it is read-only
>>>> filesystem)
>>>> - unfortunately, I can not mount /etc into some other writable
>>>> filesystem
>>>
>>> Perhaps you could mount /etc/selinux/_policyname_ rather than /etc from a
>>> writeable filesystem?
>>>
>>> Paul.
>>> cy
>>> --
>>> This message was distributed to subscribers of the selinux mailing list.
>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
>>> with
>>> the words "unsubscribe selinux" without quotes as the message.
>>>
>> This is confusing to me:
>> it sounds like there not trying to mount
>> SELinux, but have the policy load
>> in a different location other than
>> /etc/selinux/*
>>
>> regards;
>>
>> Justin P. Mattock
>>
>>
> On second thought  from what  it  sounds,
> to have SELinux be read in another location,
> you would have to locate in
> libselinux the location from where the library is
> told to read the the policy, and simple just change the location,
> but then you might have to change the kernel, all the libraries,
> all apps, etc.. that read /etc/selinux/*
> maybe a simple change of /etc/selinux/config
> seems simpler. rather than going through
> lines of code.
> Anyways,
> "Merry christmas"
>
>
> regards;
>
> Justin P. Mattock

You are right. I would like kernel to read policy just from different location.

So options are as folowing:
1. Change libselinux sources and sources of all related apps + kernel.
2. Try to change /etc/selinux/config.

Regarding second one - manuals on SELinux say that /etc/selinux/config
contains name of policy to be loaded. And that name _policyname_ is a
name of directory in /etc/selinux/_policyname_ having subdirectory
policy with actual policy file.

So, it seems only option #1 is the one to use.

Does kernel use libselinux to read policy or it reads it directly from
filesystem?
Any other pitfalls?

Tim

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Alternative location of policy files

[Justin P. Mattock]

I think, one of the main jobs
For libselinux is reading the
Policy, from it specefied location
And then mounting the selinuxfs.
Or vise versa mounting selinuxfs,
And then reading the policy. As
For changing the location, not
To sure what the code looks like,
Maybe it's just a few liners to
Do what you wanted.

justin P. Mattock



On Dec 25, 2008, at 5:36 AM, Tim <timasyk@gmail.com> wrote:

> 2008/12/25 Justin P. Mattock <justinmattock@gmail.com>:
>> Justin P. Mattock wrote:
>>>
>>> Paul Howarth wrote:
>>>>
>>>> Tim wrote:
>>>>>
>>>>> Hello all,
>>>>>
>>>>> I was wondering, how can I change default location of SELinux  
>>>>> policy
>>>>> from /etc/selinux/_policyname_ to some other path?
>>>>> What source codes should be modified for that?
>>>>>
>>>>> The reason to do that are:
>>>>> - I want to work with loadable policy modules --> that requires
>>>>> /etc/selinux/_policyname_ directory to be writable.
>>>>> - limitation of my filesystem having /etc directory (it is read- 
>>>>> only
>>>>> filesystem)
>>>>> - unfortunately, I can not mount /etc into some other writable
>>>>> filesystem
>>>>
>>>> Perhaps you could mount /etc/selinux/_policyname_ rather than / 
>>>> etc from a
>>>> writeable filesystem?
>>>>
>>>> Paul.
>>>> cy
>>>> --
>>>> This message was distributed to subscribers of the selinux  
>>>> mailing list.
>>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
>>>> with
>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>
>>> This is confusing to me:
>>> it sounds like there not trying to mount
>>> SELinux, but have the policy load
>>> in a different location other than
>>> /etc/selinux/*
>>>
>>> regards;
>>>
>>> Justin P. Mattock
>>>
>>>
>> On second thought  from what  it  sounds,
>> to have SELinux be read in another location,
>> you would have to locate in
>> libselinux the location from where the library is
>> told to read the the policy, and simple just change the location,
>> but then you might have to change the kernel, all the libraries,
>> all apps, etc.. that read /etc/selinux/*
>> maybe a simple change of /etc/selinux/config
>> seems simpler. rather than going through
>> lines of code.
>> Anyways,
>> "Merry christmas"
>>
>>
>> regards;
>>
>> Justin P. Mattock
>
> You are right. I would like kernel to read policy just from  
> different location.
>
> So options are as folowing:
> 1. Change libselinux sources and sources of all related apps + kernel.
> 2. Try to change /etc/selinux/config.
>
> Regarding second one - manuals on SELinux say that /etc/selinux/config
> contains name of policy to be loaded. And that name _policyname_ is a
> name of directory in /etc/selinux/_policyname_ having subdirectory
> policy with actual policy file.
>
> So, it seems only option #1 is the one to use.
>
> Does kernel use libselinux to read policy or it reads it directly from
> filesystem?
> Any other pitfalls?
>
> Tim

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Alternative location of policy files

[Tim]

OK. I'm trying to trace Linux sources to find exact sequence of
function calls for loading  SELinux policy into Linux kernel at boot
time. And I've lost... to many calls to trace.

Maybe somebody has that tracing already and can share information?

Tim

2008/12/26 Justin P. Mattock <justinmattock@gmail.com>:
> I think, one of the main jobs
> For libselinux is reading the
> Policy, from it specefied location
> And then mounting the selinuxfs.
> Or vise versa mounting selinuxfs,
> And then reading the policy. As
> For changing the location, not
> To sure what the code looks like,
> Maybe it's just a few liners to
> Do what you wanted.
>
> justin P. Mattock
>
>
>
> On Dec 25, 2008, at 5:36 AM, Tim <timasyk@gmail.com> wrote:
>
>> 2008/12/25 Justin P. Mattock <justinmattock@gmail.com>:
>>>
>>> Justin P. Mattock wrote:
>>>>
>>>> Paul Howarth wrote:
>>>>>
>>>>> Tim wrote:
>>>>>>
>>>>>> Hello all,
>>>>>>
>>>>>> I was wondering, how can I change default location of SELinux policy
>>>>>> from /etc/selinux/_policyname_ to some other path?
>>>>>> What source codes should be modified for that?
>>>>>>
>>>>>> The reason to do that are:
>>>>>> - I want to work with loadable policy modules --> that requires
>>>>>> /etc/selinux/_policyname_ directory to be writable.
>>>>>> - limitation of my filesystem having /etc directory (it is read-only
>>>>>> filesystem)
>>>>>> - unfortunately, I can not mount /etc into some other writable
>>>>>> filesystem
>>>>>
>>>>> Perhaps you could mount /etc/selinux/_policyname_ rather than /etc from
>>>>> a
>>>>> writeable filesystem?
>>>>>
>>>>> Paul.
>>>>> cy
>>>>> --
>>>>> This message was distributed to subscribers of the selinux mailing
>>>>> list.
>>>>> If you no longer wish to subscribe, send mail to
>>>>> majordomo@tycho.nsa.gov
>>>>> with
>>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>>
>>>> This is confusing to me:
>>>> it sounds like there not trying to mount
>>>> SELinux, but have the policy load
>>>> in a different location other than
>>>> /etc/selinux/*
>>>>
>>>> regards;
>>>>
>>>> Justin P. Mattock
>>>>
>>>>
>>> On second thought  from what  it  sounds,
>>> to have SELinux be read in another location,
>>> you would have to locate in
>>> libselinux the location from where the library is
>>> told to read the the policy, and simple just change the location,
>>> but then you might have to change the kernel, all the libraries,
>>> all apps, etc.. that read /etc/selinux/*
>>> maybe a simple change of /etc/selinux/config
>>> seems simpler. rather than going through
>>> lines of code.
>>> Anyways,
>>> "Merry christmas"
>>>
>>>
>>> regards;
>>>
>>> Justin P. Mattock
>>
>> You are right. I would like kernel to read policy just from different
>> location.
>>
>> So options are as folowing:
>> 1. Change libselinux sources and sources of all related apps + kernel.
>> 2. Try to change /etc/selinux/config.
>>
>> Regarding second one - manuals on SELinux say that /etc/selinux/config
>> contains name of policy to be loaded. And that name _policyname_ is a
>> name of directory in /etc/selinux/_policyname_ having subdirectory
>> policy with actual policy file.
>>
>> So, it seems only option #1 is the one to use.
>>
>> Does kernel use libselinux to read policy or it reads it directly from
>> filesystem?
>> Any other pitfalls?
>>
>> Tim
>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Alternative location of policy files

[xing li]

[-- Attachment #1: Type: text/plain, Size: 4651 bytes --]

2008/12/27 xing li <lixing.1006@gmail.com>

>
> It's work was rearly done in the "/sbin/init"  until the last step of
> system initialization, while the source
> of "/sbin/init" is included in the sysvinit. and it finally invoked
> "security_load_policy()" to load the binary
> policy "policy.XX" to the kernel structure policydb.
>
> and i have confused by the question:
> when and how the selinux label the all file system according
> to "file_contexts"?
> and i found the clue that when we "touch /.autorelabel",the system would
> invoke
> "fixfiles relabel" to relabel the file system. but i could't find the
> relevant source code.
> Maybt somebody has investigated that and could share infomation?
>
> 2008/12/27 Tim <timasyk@gmail.com>
>
> OK. I'm trying to trace Linux sources to find exact sequence of
>> function calls for loading  SELinux policy into Linux kernel at boot
>> time. And I've lost... to many calls to trace.
>>
>> Maybe somebody has that tracing already and can share information?
>>
>> Tim
>>
>> 2008/12/26 Justin P. Mattock <justinmattock@gmail.com>:
>>  > I think, one of the main jobs
>> > For libselinux is reading the
>> > Policy, from it specefied location
>> > And then mounting the selinuxfs.
>> > Or vise versa mounting selinuxfs,
>> > And then reading the policy. As
>> > For changing the location, not
>> > To sure what the code looks like,
>> > Maybe it's just a few liners to
>> > Do what you wanted.
>> >
>> > justin P. Mattock
>> >
>> >
>> >
>> > On Dec 25, 2008, at 5:36 AM, Tim <timasyk@gmail.com> wrote:
>> >
>> >> 2008/12/25 Justin P. Mattock <justinmattock@gmail.com>:
>> >>>
>> >>> Justin P. Mattock wrote:
>> >>>>
>> >>>> Paul Howarth wrote:
>> >>>>>
>> >>>>> Tim wrote:
>> >>>>>>
>> >>>>>> Hello all,
>> >>>>>>
>> >>>>>> I was wondering, how can I change default location of SELinux
>> policy
>> >>>>>> from /etc/selinux/_policyname_ to some other path?
>> >>>>>> What source codes should be modified for that?
>> >>>>>>
>> >>>>>> The reason to do that are:
>> >>>>>> - I want to work with loadable policy modules --> that requires
>> >>>>>> /etc/selinux/_policyname_ directory to be writable.
>> >>>>>> - limitation of my filesystem having /etc directory (it is
>> read-only
>> >>>>>> filesystem)
>> >>>>>> - unfortunately, I can not mount /etc into some other writable
>> >>>>>> filesystem
>> >>>>>
>> >>>>> Perhaps you could mount /etc/selinux/_policyname_ rather than /etc
>> from
>> >>>>> a
>> >>>>> writeable filesystem?
>> >>>>>
>> >>>>> Paul.
>> >>>>> cy
>> >>>>> --
>> >>>>> This message was distributed to subscribers of the selinux mailing
>> >>>>> list.
>> >>>>> If you no longer wish to subscribe, send mail to
>> >>>>> majordomo@tycho.nsa.gov
>> >>>>> with
>> >>>>> the words "unsubscribe selinux" without quotes as the message.
>> >>>>>
>> >>>> This is confusing to me:
>> >>>> it sounds like there not trying to mount
>> >>>> SELinux, but have the policy load
>> >>>> in a different location other than
>> >>>> /etc/selinux/*
>> >>>>
>> >>>> regards;
>> >>>>
>> >>>> Justin P. Mattock
>> >>>>
>> >>>>
>> >>> On second thought  from what  it  sounds,
>> >>> to have SELinux be read in another location,
>> >>> you would have to locate in
>> >>> libselinux the location from where the library is
>> >>> told to read the the policy, and simple just change the location,
>> >>> but then you might have to change the kernel, all the libraries,
>> >>> all apps, etc.. that read /etc/selinux/*
>> >>> maybe a simple change of /etc/selinux/config
>> >>> seems simpler. rather than going through
>> >>> lines of code.
>> >>> Anyways,
>> >>> "Merry christmas"
>> >>>
>> >>>
>> >>> regards;
>> >>>
>> >>> Justin P. Mattock
>> >>
>> >> You are right. I would like kernel to read policy just from different
>> >> location.
>> >>
>> >> So options are as folowing:
>> >> 1. Change libselinux sources and sources of all related apps + kernel.
>> >> 2. Try to change /etc/selinux/config.
>> >>
>> >> Regarding second one - manuals on SELinux say that /etc/selinux/config
>> >> contains name of policy to be loaded. And that name _policyname_ is a
>> >> name of directory in /etc/selinux/_policyname_ having subdirectory
>> >> policy with actual policy file.
>> >>
>> >> So, it seems only option #1 is the one to use.
>> >>
>> >> Does kernel use libselinux to read policy or it reads it directly from
>> >> filesystem?
>> >> Any other pitfalls?
>> >>
>> >> Tim
>> >
>>
>> --
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.govwith
>> the words "unsubscribe selinux" without quotes as the message.
>>
>
>

[-- Attachment #2: Type: text/html, Size: 6853 bytes --]

Re: Alternative location of policy files

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

xing li wrote:
> 2008/12/27 xing li <lixing.1006@gmail.com>
> 
>> It's work was rearly done in the "/sbin/init"  until the last step of
>> system initialization, while the source
>> of "/sbin/init" is included in the sysvinit. and it finally invoked
>> "security_load_policy()" to load the binary
>> policy "policy.XX" to the kernel structure policydb.
>>
>> and i have confused by the question:
>> when and how the selinux label the all file system according
>> to "file_contexts"?
>> and i found the clue that when we "touch /.autorelabel",the system would
>> invoke
>> "fixfiles relabel" to relabel the file system. but i could't find the
>> relevant source code.
>> Maybt somebody has investigated that and could share infomation?
>>
>> 2008/12/27 Tim <timasyk@gmail.com>
>>
>> OK. I'm trying to trace Linux sources to find exact sequence of
>>> function calls for loading  SELinux policy into Linux kernel at boot
>>> time. And I've lost... to many calls to trace.
>>>
>>> Maybe somebody has that tracing already and can share information?
>>>
>>> Tim
>>>
>>> 2008/12/26 Justin P. Mattock <justinmattock@gmail.com>:
>>>  > I think, one of the main jobs
>>>> For libselinux is reading the
>>>> Policy, from it specefied location
>>>> And then mounting the selinuxfs.
>>>> Or vise versa mounting selinuxfs,
>>>> And then reading the policy. As
>>>> For changing the location, not
>>>> To sure what the code looks like,
>>>> Maybe it's just a few liners to
>>>> Do what you wanted.
>>>>
>>>> justin P. Mattock
>>>>
>>>>
>>>>
>>>> On Dec 25, 2008, at 5:36 AM, Tim <timasyk@gmail.com> wrote:
>>>>
>>>>> 2008/12/25 Justin P. Mattock <justinmattock@gmail.com>:
>>>>>> Justin P. Mattock wrote:
>>>>>>> Paul Howarth wrote:
>>>>>>>> Tim wrote:
>>>>>>>>> Hello all,
>>>>>>>>>
>>>>>>>>> I was wondering, how can I change default location of SELinux
>>> policy
>>>>>>>>> from /etc/selinux/_policyname_ to some other path?
>>>>>>>>> What source codes should be modified for that?
>>>>>>>>>
>>>>>>>>> The reason to do that are:
>>>>>>>>> - I want to work with loadable policy modules --> that requires
>>>>>>>>> /etc/selinux/_policyname_ directory to be writable.
>>>>>>>>> - limitation of my filesystem having /etc directory (it is
>>> read-only
>>>>>>>>> filesystem)
>>>>>>>>> - unfortunately, I can not mount /etc into some other writable
>>>>>>>>> filesystem
>>>>>>>> Perhaps you could mount /etc/selinux/_policyname_ rather than /etc
>>> from
>>>>>>>> a
>>>>>>>> writeable filesystem?
>>>>>>>>
>>>>>>>> Paul.
>>>>>>>> cy
>>>>>>>> --
>>>>>>>> This message was distributed to subscribers of the selinux mailing
>>>>>>>> list.
>>>>>>>> If you no longer wish to subscribe, send mail to
>>>>>>>> majordomo@tycho.nsa.gov
>>>>>>>> with
>>>>>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>>>>>
>>>>>>> This is confusing to me:
>>>>>>> it sounds like there not trying to mount
>>>>>>> SELinux, but have the policy load
>>>>>>> in a different location other than
>>>>>>> /etc/selinux/*
>>>>>>>
>>>>>>> regards;
>>>>>>>
>>>>>>> Justin P. Mattock
>>>>>>>
>>>>>>>
>>>>>> On second thought  from what  it  sounds,
>>>>>> to have SELinux be read in another location,
>>>>>> you would have to locate in
>>>>>> libselinux the location from where the library is
>>>>>> told to read the the policy, and simple just change the location,
>>>>>> but then you might have to change the kernel, all the libraries,
>>>>>> all apps, etc.. that read /etc/selinux/*
>>>>>> maybe a simple change of /etc/selinux/config
>>>>>> seems simpler. rather than going through
>>>>>> lines of code.
>>>>>> Anyways,
>>>>>> "Merry christmas"
>>>>>>
>>>>>>
>>>>>> regards;
>>>>>>
>>>>>> Justin P. Mattock
>>>>> You are right. I would like kernel to read policy just from different
>>>>> location.
>>>>>
>>>>> So options are as folowing:
>>>>> 1. Change libselinux sources and sources of all related apps + kernel.
>>>>> 2. Try to change /etc/selinux/config.
>>>>>
>>>>> Regarding second one - manuals on SELinux say that /etc/selinux/config
>>>>> contains name of policy to be loaded. And that name _policyname_ is a
>>>>> name of directory in /etc/selinux/_policyname_ having subdirectory
>>>>> policy with actual policy file.
>>>>>
>>>>> So, it seems only option #1 is the one to use.
>>>>>
>>>>> Does kernel use libselinux to read policy or it reads it directly from
>>>>> filesystem?
>>>>> Any other pitfalls?
>>>>>
>>>>> Tim
>>> --
>>> This message was distributed to subscribers of the selinux mailing list.
>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.govwith
>>> the words "unsubscribe selinux" without quotes as the message.
>>>
>>
> 
Everything uses libselinux to find the paths to policy.  So if you
wanted to change the location of where SELinux stores the policy you
would need to modify libselinux.  In the file src/selinux_config.c
you would modify

$ grep /etc/selinux src/selinux_config.c
#define SELINUXDIR "/etc/selinux/"

All of the other paths are relative to this.

I do not believe that we have hard coded this path in to any other user
tools.  If we have that is a bug.  I don't understand why you would want
to change this path, and would suggest that you use bind mounts or
remote mounts if you want these files to be located somewhere else.  You
would also need to maintain the file context if you do this.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklWDbUACgkQrlYvE4MpobMTDQCeJx6Te9XwJs48kzug2elDLqe3
IqIAoIYd6mC/jm3p/FkKYyIiijKME87A
=AXLC
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Alternative location of policy files

[Tim]

2008/12/27 Daniel J Walsh <dwalsh@redhat.com>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> xing li wrote:
>> 2008/12/27 xing li <lixing.1006@gmail.com>
>>
>>> It's work was rearly done in the "/sbin/init"  until the last step of
>>> system initialization, while the source
>>> of "/sbin/init" is included in the sysvinit. and it finally invoked
>>> "security_load_policy()" to load the binary
>>> policy "policy.XX" to the kernel structure policydb.
>>>
>>> and i have confused by the question:
>>> when and how the selinux label the all file system according
>>> to "file_contexts"?
>>> and i found the clue that when we "touch /.autorelabel",the system would
>>> invoke
>>> "fixfiles relabel" to relabel the file system. but i could't find the
>>> relevant source code.
>>> Maybt somebody has investigated that and could share infomation?
>>>
>>> 2008/12/27 Tim <timasyk@gmail.com>
>>>
>>> OK. I'm trying to trace Linux sources to find exact sequence of
>>>> function calls for loading  SELinux policy into Linux kernel at boot
>>>> time. And I've lost... to many calls to trace.
>>>>
>>>> Maybe somebody has that tracing already and can share information?
>>>>
>>>> Tim
>>>>
>>>> 2008/12/26 Justin P. Mattock <justinmattock@gmail.com>:
>>>>  > I think, one of the main jobs
>>>>> For libselinux is reading the
>>>>> Policy, from it specefied location
>>>>> And then mounting the selinuxfs.
>>>>> Or vise versa mounting selinuxfs,
>>>>> And then reading the policy. As
>>>>> For changing the location, not
>>>>> To sure what the code looks like,
>>>>> Maybe it's just a few liners to
>>>>> Do what you wanted.
>>>>>
>>>>> justin P. Mattock
>>>>>
>>>>>
>>>>>
>>>>> On Dec 25, 2008, at 5:36 AM, Tim <timasyk@gmail.com> wrote:
>>>>>
>>>>>> 2008/12/25 Justin P. Mattock <justinmattock@gmail.com>:
>>>>>>> Justin P. Mattock wrote:
>>>>>>>> Paul Howarth wrote:
>>>>>>>>> Tim wrote:
>>>>>>>>>> Hello all,
>>>>>>>>>>
>>>>>>>>>> I was wondering, how can I change default location of SELinux
>>>> policy
>>>>>>>>>> from /etc/selinux/_policyname_ to some other path?
>>>>>>>>>> What source codes should be modified for that?
>>>>>>>>>>
>>>>>>>>>> The reason to do that are:
>>>>>>>>>> - I want to work with loadable policy modules --> that requires
>>>>>>>>>> /etc/selinux/_policyname_ directory to be writable.
>>>>>>>>>> - limitation of my filesystem having /etc directory (it is
>>>> read-only
>>>>>>>>>> filesystem)
>>>>>>>>>> - unfortunately, I can not mount /etc into some other writable
>>>>>>>>>> filesystem
>>>>>>>>> Perhaps you could mount /etc/selinux/_policyname_ rather than /etc
>>>> from
>>>>>>>>> a
>>>>>>>>> writeable filesystem?
>>>>>>>>>
>>>>>>>>> Paul.
>>>>>>>>> cy
>>>>>>>>> --
>>>>>>>>> This message was distributed to subscribers of the selinux mailing
>>>>>>>>> list.
>>>>>>>>> If you no longer wish to subscribe, send mail to
>>>>>>>>> majordomo@tycho.nsa.gov
>>>>>>>>> with
>>>>>>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>>>>>>
>>>>>>>> This is confusing to me:
>>>>>>>> it sounds like there not trying to mount
>>>>>>>> SELinux, but have the policy load
>>>>>>>> in a different location other than
>>>>>>>> /etc/selinux/*
>>>>>>>>
>>>>>>>> regards;
>>>>>>>>
>>>>>>>> Justin P. Mattock
>>>>>>>>
>>>>>>>>
>>>>>>> On second thought  from what  it  sounds,
>>>>>>> to have SELinux be read in another location,
>>>>>>> you would have to locate in
>>>>>>> libselinux the location from where the library is
>>>>>>> told to read the the policy, and simple just change the location,
>>>>>>> but then you might have to change the kernel, all the libraries,
>>>>>>> all apps, etc.. that read /etc/selinux/*
>>>>>>> maybe a simple change of /etc/selinux/config
>>>>>>> seems simpler. rather than going through
>>>>>>> lines of code.
>>>>>>> Anyways,
>>>>>>> "Merry christmas"
>>>>>>>
>>>>>>>
>>>>>>> regards;
>>>>>>>
>>>>>>> Justin P. Mattock
>>>>>> You are right. I would like kernel to read policy just from different
>>>>>> location.
>>>>>>
>>>>>> So options are as folowing:
>>>>>> 1. Change libselinux sources and sources of all related apps + kernel.
>>>>>> 2. Try to change /etc/selinux/config.
>>>>>>
>>>>>> Regarding second one - manuals on SELinux say that /etc/selinux/config
>>>>>> contains name of policy to be loaded. And that name _policyname_ is a
>>>>>> name of directory in /etc/selinux/_policyname_ having subdirectory
>>>>>> policy with actual policy file.
>>>>>>
>>>>>> So, it seems only option #1 is the one to use.
>>>>>>
>>>>>> Does kernel use libselinux to read policy or it reads it directly from
>>>>>> filesystem?
>>>>>> Any other pitfalls?
>>>>>>
>>>>>> Tim
>>>> --
>>>> This message was distributed to subscribers of the selinux mailing list.
>>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.govwith
>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>
>>>
>>
> Everything uses libselinux to find the paths to policy.  So if you
> wanted to change the location of where SELinux stores the policy you
> would need to modify libselinux.  In the file src/selinux_config.c
> you would modify
>
> $ grep /etc/selinux src/selinux_config.c
> #define SELINUXDIR "/etc/selinux/"
>
> All of the other paths are relative to this.
>
> I do not believe that we have hard coded this path in to any other user
> tools.  If we have that is a bug.  I don't understand why you would want
> to change this path, and would suggest that you use bind mounts or
> remote mounts if you want these files to be located somewhere else.  You
> would also need to maintain the file context if you do this.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAklWDbUACgkQrlYvE4MpobMTDQCeJx6Te9XwJs48kzug2elDLqe3
> IqIAoIYd6mC/jm3p/FkKYyIiijKME87A
> =AXLC
> -----END PGP SIGNATURE-----
>
The motivation for having alternative path for selinux policy
directory _policyname_ in /etc/selinux/_policyname_ is as following:
1) I have legacy system that mounts root filesystem including
/etc/selinux/... in read-only mode;
2) also the system mounts a writable filesystem;
3) I can not change that behavior (modes of mounting, filesystem
types, sequence of mounting, number of mount points etc) of legacy
system for some reason;
4) I can freely modify sources -> kernel, selinux-related (under above
limitations).
5) there is a requirement to support modular policy infrastructure in
that system;

To do that I plan to make SELinux subsystem operate on policy-related
files on different location --> on writable filesystem.

Could you please clarify that?
> You would also need to maintain the file context if you do this.

Tim

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Alternative location of policy files

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tim wrote:
> 2008/12/27 Daniel J Walsh <dwalsh@redhat.com>:
> xing li wrote:
>>>> 2008/12/27 xing li <lixing.1006@gmail.com>
>>>>
>>>>> It's work was rearly done in the "/sbin/init"  until the last step of
>>>>> system initialization, while the source
>>>>> of "/sbin/init" is included in the sysvinit. and it finally invoked
>>>>> "security_load_policy()" to load the binary
>>>>> policy "policy.XX" to the kernel structure policydb.
>>>>>
>>>>> and i have confused by the question:
>>>>> when and how the selinux label the all file system according
>>>>> to "file_contexts"?
>>>>> and i found the clue that when we "touch /.autorelabel",the system would
>>>>> invoke
>>>>> "fixfiles relabel" to relabel the file system. but i could't find the
>>>>> relevant source code.
>>>>> Maybt somebody has investigated that and could share infomation?
>>>>>
>>>>> 2008/12/27 Tim <timasyk@gmail.com>
>>>>>
>>>>> OK. I'm trying to trace Linux sources to find exact sequence of
>>>>>> function calls for loading  SELinux policy into Linux kernel at boot
>>>>>> time. And I've lost... to many calls to trace.
>>>>>>
>>>>>> Maybe somebody has that tracing already and can share information?
>>>>>>
>>>>>> Tim
>>>>>>
>>>>>> 2008/12/26 Justin P. Mattock <justinmattock@gmail.com>:
>>>>>>  > I think, one of the main jobs
>>>>>>> For libselinux is reading the
>>>>>>> Policy, from it specefied location
>>>>>>> And then mounting the selinuxfs.
>>>>>>> Or vise versa mounting selinuxfs,
>>>>>>> And then reading the policy. As
>>>>>>> For changing the location, not
>>>>>>> To sure what the code looks like,
>>>>>>> Maybe it's just a few liners to
>>>>>>> Do what you wanted.
>>>>>>>
>>>>>>> justin P. Mattock
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Dec 25, 2008, at 5:36 AM, Tim <timasyk@gmail.com> wrote:
>>>>>>>
>>>>>>>> 2008/12/25 Justin P. Mattock <justinmattock@gmail.com>:
>>>>>>>>> Justin P. Mattock wrote:
>>>>>>>>>> Paul Howarth wrote:
>>>>>>>>>>> Tim wrote:
>>>>>>>>>>>> Hello all,
>>>>>>>>>>>>
>>>>>>>>>>>> I was wondering, how can I change default location of SELinux
>>>>>> policy
>>>>>>>>>>>> from /etc/selinux/_policyname_ to some other path?
>>>>>>>>>>>> What source codes should be modified for that?
>>>>>>>>>>>>
>>>>>>>>>>>> The reason to do that are:
>>>>>>>>>>>> - I want to work with loadable policy modules --> that requires
>>>>>>>>>>>> /etc/selinux/_policyname_ directory to be writable.
>>>>>>>>>>>> - limitation of my filesystem having /etc directory (it is
>>>>>> read-only
>>>>>>>>>>>> filesystem)
>>>>>>>>>>>> - unfortunately, I can not mount /etc into some other writable
>>>>>>>>>>>> filesystem
>>>>>>>>>>> Perhaps you could mount /etc/selinux/_policyname_ rather than /etc
>>>>>> from
>>>>>>>>>>> a
>>>>>>>>>>> writeable filesystem?
>>>>>>>>>>>
>>>>>>>>>>> Paul.
>>>>>>>>>>> cy
>>>>>>>>>>> --
>>>>>>>>>>> This message was distributed to subscribers of the selinux mailing
>>>>>>>>>>> list.
>>>>>>>>>>> If you no longer wish to subscribe, send mail to
>>>>>>>>>>> majordomo@tycho.nsa.gov
>>>>>>>>>>> with
>>>>>>>>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>>>>>>>>
>>>>>>>>>> This is confusing to me:
>>>>>>>>>> it sounds like there not trying to mount
>>>>>>>>>> SELinux, but have the policy load
>>>>>>>>>> in a different location other than
>>>>>>>>>> /etc/selinux/*
>>>>>>>>>>
>>>>>>>>>> regards;
>>>>>>>>>>
>>>>>>>>>> Justin P. Mattock
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> On second thought  from what  it  sounds,
>>>>>>>>> to have SELinux be read in another location,
>>>>>>>>> you would have to locate in
>>>>>>>>> libselinux the location from where the library is
>>>>>>>>> told to read the the policy, and simple just change the location,
>>>>>>>>> but then you might have to change the kernel, all the libraries,
>>>>>>>>> all apps, etc.. that read /etc/selinux/*
>>>>>>>>> maybe a simple change of /etc/selinux/config
>>>>>>>>> seems simpler. rather than going through
>>>>>>>>> lines of code.
>>>>>>>>> Anyways,
>>>>>>>>> "Merry christmas"
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> regards;
>>>>>>>>>
>>>>>>>>> Justin P. Mattock
>>>>>>>> You are right. I would like kernel to read policy just from different
>>>>>>>> location.
>>>>>>>>
>>>>>>>> So options are as folowing:
>>>>>>>> 1. Change libselinux sources and sources of all related apps + kernel.
>>>>>>>> 2. Try to change /etc/selinux/config.
>>>>>>>>
>>>>>>>> Regarding second one - manuals on SELinux say that /etc/selinux/config
>>>>>>>> contains name of policy to be loaded. And that name _policyname_ is a
>>>>>>>> name of directory in /etc/selinux/_policyname_ having subdirectory
>>>>>>>> policy with actual policy file.
>>>>>>>>
>>>>>>>> So, it seems only option #1 is the one to use.
>>>>>>>>
>>>>>>>> Does kernel use libselinux to read policy or it reads it directly from
>>>>>>>> filesystem?
>>>>>>>> Any other pitfalls?
>>>>>>>>
>>>>>>>> Tim
>>>>>> --
>>>>>> This message was distributed to subscribers of the selinux mailing list.
>>>>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.govwith
>>>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>>>
> Everything uses libselinux to find the paths to policy.  So if you
> wanted to change the location of where SELinux stores the policy you
> would need to modify libselinux.  In the file src/selinux_config.c
> you would modify
> 
> $ grep /etc/selinux src/selinux_config.c
> #define SELINUXDIR "/etc/selinux/"
> 
> All of the other paths are relative to this.
> 
> I do not believe that we have hard coded this path in to any other user
> tools.  If we have that is a bug.  I don't understand why you would want
> to change this path, and would suggest that you use bind mounts or
> remote mounts if you want these files to be located somewhere else.  You
> would also need to maintain the file context if you do this.
>>
> The motivation for having alternative path for selinux policy
> directory _policyname_ in /etc/selinux/_policyname_ is as following:
> 1) I have legacy system that mounts root filesystem including
> /etc/selinux/... in read-only mode;
> 2) also the system mounts a writable filesystem;
> 3) I can not change that behavior (modes of mounting, filesystem
> types, sequence of mounting, number of mount points etc) of legacy
> system for some reason;
> 4) I can freely modify sources -> kernel, selinux-related (under above
> limitations).
> 5) there is a requirement to support modular policy infrastructure in
> that system;

> To do that I plan to make SELinux subsystem operate on policy-related
> files on different location --> on writable filesystem.

> Could you please clarify that?
You would also need to maintain the file context if you do this.

> Tim

If you want to maintain the SELinux files on say /var/lib/selinux then
all of the file context under /var/lib/selinux needs to match that of
/etc/selinux

So /var/lib/selinux/targeted needs to be labeled selinux_config_t.

In Rawhide for example I have the following labeling for /etc/selinux
# grep /etc/selinux /etc/selinux/targeted/contexts/files/file_contexts
/etc/selinux(/.*)?	system_u:object_r:selinux_config_t:s0
/etc/selinux/([^/]*/)?seusers	--	system_u:object_r:selinux_config_t:s0
/etc/selinux/([^/]*/)?users(/.*)?	--	system_u:object_r:selinux_config_t:s0
/etc/selinux/([^/]*/)?policy(/.*)?	system_u:object_r:semanage_store_t:s0
/etc/selinux/([^/]*/)?setrans\.conf	--	system_u:object_r:selinux_config_t:s0
/etc/selinux/([^/]*/)?contexts(/.*)?	system_u:object_r:default_context_t:s0
/etc/selinux/([^/]*/)?contexts/files(/.*)?
system_u:object_r:file_context_t:s0
/etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK	--
system_u:object_r:semanage_read_lock_t:s0
/etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK	--
system_u:object_r:semanage_trans_lock_t:s0
/etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)?
system_u:object_r:semanage_store_t:s0


You can setup a matching labels for /var/lib/selinux with the semanage
command.

# semanage fcontext -a -t selinux_config_t '/var/lib/selinux(/.*)?'
...


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklWIAEACgkQrlYvE4MpobP53gCggdQuj/z501PotHemK6MSYj65
u8gAnAxklaBSNv6wYmZnQjiB+mleSTdR
=BTBw
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Alternative location of policy files

[Tim]

2008/12/27 Daniel J Walsh <dwalsh@redhat.com>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Tim wrote:
>> 2008/12/27 Daniel J Walsh <dwalsh@redhat.com>:
>> xing li wrote:
>>>>> 2008/12/27 xing li <lixing.1006@gmail.com>
>>>>>
>>>>>> It's work was rearly done in the "/sbin/init"  until the last step of
>>>>>> system initialization, while the source
>>>>>> of "/sbin/init" is included in the sysvinit. and it finally invoked
>>>>>> "security_load_policy()" to load the binary
>>>>>> policy "policy.XX" to the kernel structure policydb.
>>>>>>
>>>>>> and i have confused by the question:
>>>>>> when and how the selinux label the all file system according
>>>>>> to "file_contexts"?
>>>>>> and i found the clue that when we "touch /.autorelabel",the system would
>>>>>> invoke
>>>>>> "fixfiles relabel" to relabel the file system. but i could't find the
>>>>>> relevant source code.
>>>>>> Maybt somebody has investigated that and could share infomation?
>>>>>>
>>>>>> 2008/12/27 Tim <timasyk@gmail.com>
>>>>>>
>>>>>> OK. I'm trying to trace Linux sources to find exact sequence of
>>>>>>> function calls for loading  SELinux policy into Linux kernel at boot
>>>>>>> time. And I've lost... to many calls to trace.
>>>>>>>
>>>>>>> Maybe somebody has that tracing already and can share information?
>>>>>>>
>>>>>>> Tim
>>>>>>>
>>>>>>> 2008/12/26 Justin P. Mattock <justinmattock@gmail.com>:
>>>>>>>  > I think, one of the main jobs
>>>>>>>> For libselinux is reading the
>>>>>>>> Policy, from it specefied location
>>>>>>>> And then mounting the selinuxfs.
>>>>>>>> Or vise versa mounting selinuxfs,
>>>>>>>> And then reading the policy. As
>>>>>>>> For changing the location, not
>>>>>>>> To sure what the code looks like,
>>>>>>>> Maybe it's just a few liners to
>>>>>>>> Do what you wanted.
>>>>>>>>
>>>>>>>> justin P. Mattock
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Dec 25, 2008, at 5:36 AM, Tim <timasyk@gmail.com> wrote:
>>>>>>>>
>>>>>>>>> 2008/12/25 Justin P. Mattock <justinmattock@gmail.com>:
>>>>>>>>>> Justin P. Mattock wrote:
>>>>>>>>>>> Paul Howarth wrote:
>>>>>>>>>>>> Tim wrote:
>>>>>>>>>>>>> Hello all,
>>>>>>>>>>>>>
>>>>>>>>>>>>> I was wondering, how can I change default location of SELinux
>>>>>>> policy
>>>>>>>>>>>>> from /etc/selinux/_policyname_ to some other path?
>>>>>>>>>>>>> What source codes should be modified for that?
>>>>>>>>>>>>>
>>>>>>>>>>>>> The reason to do that are:
>>>>>>>>>>>>> - I want to work with loadable policy modules --> that requires
>>>>>>>>>>>>> /etc/selinux/_policyname_ directory to be writable.
>>>>>>>>>>>>> - limitation of my filesystem having /etc directory (it is
>>>>>>> read-only
>>>>>>>>>>>>> filesystem)
>>>>>>>>>>>>> - unfortunately, I can not mount /etc into some other writable
>>>>>>>>>>>>> filesystem
>>>>>>>>>>>> Perhaps you could mount /etc/selinux/_policyname_ rather than /etc
>>>>>>> from
>>>>>>>>>>>> a
>>>>>>>>>>>> writeable filesystem?
>>>>>>>>>>>>
>>>>>>>>>>>> Paul.
>>>>>>>>>>>> cy
>>>>>>>>>>>> --
>>>>>>>>>>>> This message was distributed to subscribers of the selinux mailing
>>>>>>>>>>>> list.
>>>>>>>>>>>> If you no longer wish to subscribe, send mail to
>>>>>>>>>>>> majordomo@tycho.nsa.gov
>>>>>>>>>>>> with
>>>>>>>>>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>>>>>>>>>
>>>>>>>>>>> This is confusing to me:
>>>>>>>>>>> it sounds like there not trying to mount
>>>>>>>>>>> SELinux, but have the policy load
>>>>>>>>>>> in a different location other than
>>>>>>>>>>> /etc/selinux/*
>>>>>>>>>>>
>>>>>>>>>>> regards;
>>>>>>>>>>>
>>>>>>>>>>> Justin P. Mattock
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> On second thought  from what  it  sounds,
>>>>>>>>>> to have SELinux be read in another location,
>>>>>>>>>> you would have to locate in
>>>>>>>>>> libselinux the location from where the library is
>>>>>>>>>> told to read the the policy, and simple just change the location,
>>>>>>>>>> but then you might have to change the kernel, all the libraries,
>>>>>>>>>> all apps, etc.. that read /etc/selinux/*
>>>>>>>>>> maybe a simple change of /etc/selinux/config
>>>>>>>>>> seems simpler. rather than going through
>>>>>>>>>> lines of code.
>>>>>>>>>> Anyways,
>>>>>>>>>> "Merry christmas"
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> regards;
>>>>>>>>>>
>>>>>>>>>> Justin P. Mattock
>>>>>>>>> You are right. I would like kernel to read policy just from different
>>>>>>>>> location.
>>>>>>>>>
>>>>>>>>> So options are as folowing:
>>>>>>>>> 1. Change libselinux sources and sources of all related apps + kernel.
>>>>>>>>> 2. Try to change /etc/selinux/config.
>>>>>>>>>
>>>>>>>>> Regarding second one - manuals on SELinux say that /etc/selinux/config
>>>>>>>>> contains name of policy to be loaded. And that name _policyname_ is a
>>>>>>>>> name of directory in /etc/selinux/_policyname_ having subdirectory
>>>>>>>>> policy with actual policy file.
>>>>>>>>>
>>>>>>>>> So, it seems only option #1 is the one to use.
>>>>>>>>>
>>>>>>>>> Does kernel use libselinux to read policy or it reads it directly from
>>>>>>>>> filesystem?
>>>>>>>>> Any other pitfalls?
>>>>>>>>>
>>>>>>>>> Tim
>>>>>>> --
>>>>>>> This message was distributed to subscribers of the selinux mailing list.
>>>>>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.govwith
>>>>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>>>>
>> Everything uses libselinux to find the paths to policy.  So if you
>> wanted to change the location of where SELinux stores the policy you
>> would need to modify libselinux.  In the file src/selinux_config.c
>> you would modify
>>
>> $ grep /etc/selinux src/selinux_config.c
>> #define SELINUXDIR "/etc/selinux/"
>>
>> All of the other paths are relative to this.
>>
>> I do not believe that we have hard coded this path in to any other user
>> tools.  If we have that is a bug.  I don't understand why you would want
>> to change this path, and would suggest that you use bind mounts or
>> remote mounts if you want these files to be located somewhere else.  You
>> would also need to maintain the file context if you do this.
>>>
>> The motivation for having alternative path for selinux policy
>> directory _policyname_ in /etc/selinux/_policyname_ is as following:
>> 1) I have legacy system that mounts root filesystem including
>> /etc/selinux/... in read-only mode;
>> 2) also the system mounts a writable filesystem;
>> 3) I can not change that behavior (modes of mounting, filesystem
>> types, sequence of mounting, number of mount points etc) of legacy
>> system for some reason;
>> 4) I can freely modify sources -> kernel, selinux-related (under above
>> limitations).
>> 5) there is a requirement to support modular policy infrastructure in
>> that system;
>
>> To do that I plan to make SELinux subsystem operate on policy-related
>> files on different location --> on writable filesystem.
>
>> Could you please clarify that?
> You would also need to maintain the file context if you do this.
>
>> Tim
>
> If you want to maintain the SELinux files on say /var/lib/selinux then
> all of the file context under /var/lib/selinux needs to match that of
> /etc/selinux
>
> So /var/lib/selinux/targeted needs to be labeled selinux_config_t.
>
> In Rawhide for example I have the following labeling for /etc/selinux
> # grep /etc/selinux /etc/selinux/targeted/contexts/files/file_contexts
> /etc/selinux(/.*)?      system_u:object_r:selinux_config_t:s0
> /etc/selinux/([^/]*/)?seusers   --      system_u:object_r:selinux_config_t:s0
> /etc/selinux/([^/]*/)?users(/.*)?       --      system_u:object_r:selinux_config_t:s0
> /etc/selinux/([^/]*/)?policy(/.*)?      system_u:object_r:semanage_store_t:s0
> /etc/selinux/([^/]*/)?setrans\.conf     --      system_u:object_r:selinux_config_t:s0
> /etc/selinux/([^/]*/)?contexts(/.*)?    system_u:object_r:default_context_t:s0
> /etc/selinux/([^/]*/)?contexts/files(/.*)?
> system_u:object_r:file_context_t:s0
> /etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK      --
> system_u:object_r:semanage_read_lock_t:s0
> /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK     --
> system_u:object_r:semanage_trans_lock_t:s0
> /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)?
> system_u:object_r:semanage_store_t:s0
>
>
> You can setup a matching labels for /var/lib/selinux with the semanage
> command.
>
> # semanage fcontext -a -t selinux_config_t '/var/lib/selinux(/.*)?'
> ...
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAklWIAEACgkQrlYvE4MpobP53gCggdQuj/z501PotHemK6MSYj65
> u8gAnAxklaBSNv6wYmZnQjiB+mleSTdR
> =BTBw
> -----END PGP SIGNATURE-----
>
Thank you for clarification.
I will try to change suggested libselinux line to point into different
location and post the results.

Tim

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Alternative location of policy files

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tim wrote:
> 2008/12/27 Daniel J Walsh <dwalsh@redhat.com>:
> Tim wrote:
>>>> 2008/12/27 Daniel J Walsh <dwalsh@redhat.com>:
>>>> xing li wrote:
>>>>>>> 2008/12/27 xing li <lixing.1006@gmail.com>
>>>>>>>
>>>>>>>> It's work was rearly done in the "/sbin/init"  until the last step of
>>>>>>>> system initialization, while the source
>>>>>>>> of "/sbin/init" is included in the sysvinit. and it finally invoked
>>>>>>>> "security_load_policy()" to load the binary
>>>>>>>> policy "policy.XX" to the kernel structure policydb.
>>>>>>>>
>>>>>>>> and i have confused by the question:
>>>>>>>> when and how the selinux label the all file system according
>>>>>>>> to "file_contexts"?
>>>>>>>> and i found the clue that when we "touch /.autorelabel",the system would
>>>>>>>> invoke
>>>>>>>> "fixfiles relabel" to relabel the file system. but i could't find the
>>>>>>>> relevant source code.
>>>>>>>> Maybt somebody has investigated that and could share infomation?
>>>>>>>>
>>>>>>>> 2008/12/27 Tim <timasyk@gmail.com>
>>>>>>>>
>>>>>>>> OK. I'm trying to trace Linux sources to find exact sequence of
>>>>>>>>> function calls for loading  SELinux policy into Linux kernel at boot
>>>>>>>>> time. And I've lost... to many calls to trace.
>>>>>>>>>
>>>>>>>>> Maybe somebody has that tracing already and can share information?
>>>>>>>>>
>>>>>>>>> Tim
>>>>>>>>>
>>>>>>>>> 2008/12/26 Justin P. Mattock <justinmattock@gmail.com>:
>>>>>>>>>  > I think, one of the main jobs
>>>>>>>>>> For libselinux is reading the
>>>>>>>>>> Policy, from it specefied location
>>>>>>>>>> And then mounting the selinuxfs.
>>>>>>>>>> Or vise versa mounting selinuxfs,
>>>>>>>>>> And then reading the policy. As
>>>>>>>>>> For changing the location, not
>>>>>>>>>> To sure what the code looks like,
>>>>>>>>>> Maybe it's just a few liners to
>>>>>>>>>> Do what you wanted.
>>>>>>>>>>
>>>>>>>>>> justin P. Mattock
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Dec 25, 2008, at 5:36 AM, Tim <timasyk@gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> 2008/12/25 Justin P. Mattock <justinmattock@gmail.com>:
>>>>>>>>>>>> Justin P. Mattock wrote:
>>>>>>>>>>>>> Paul Howarth wrote:
>>>>>>>>>>>>>> Tim wrote:
>>>>>>>>>>>>>>> Hello all,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I was wondering, how can I change default location of SELinux
>>>>>>>>> policy
>>>>>>>>>>>>>>> from /etc/selinux/_policyname_ to some other path?
>>>>>>>>>>>>>>> What source codes should be modified for that?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> The reason to do that are:
>>>>>>>>>>>>>>> - I want to work with loadable policy modules --> that requires
>>>>>>>>>>>>>>> /etc/selinux/_policyname_ directory to be writable.
>>>>>>>>>>>>>>> - limitation of my filesystem having /etc directory (it is
>>>>>>>>> read-only
>>>>>>>>>>>>>>> filesystem)
>>>>>>>>>>>>>>> - unfortunately, I can not mount /etc into some other writable
>>>>>>>>>>>>>>> filesystem
>>>>>>>>>>>>>> Perhaps you could mount /etc/selinux/_policyname_ rather than /etc
>>>>>>>>> from
>>>>>>>>>>>>>> a
>>>>>>>>>>>>>> writeable filesystem?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Paul.
>>>>>>>>>>>>>> cy
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> This message was distributed to subscribers of the selinux mailing
>>>>>>>>>>>>>> list.
>>>>>>>>>>>>>> If you no longer wish to subscribe, send mail to
>>>>>>>>>>>>>> majordomo@tycho.nsa.gov
>>>>>>>>>>>>>> with
>>>>>>>>>>>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>>>>>>>>>>>
>>>>>>>>>>>>> This is confusing to me:
>>>>>>>>>>>>> it sounds like there not trying to mount
>>>>>>>>>>>>> SELinux, but have the policy load
>>>>>>>>>>>>> in a different location other than
>>>>>>>>>>>>> /etc/selinux/*
>>>>>>>>>>>>>
>>>>>>>>>>>>> regards;
>>>>>>>>>>>>>
>>>>>>>>>>>>> Justin P. Mattock
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>> On second thought  from what  it  sounds,
>>>>>>>>>>>> to have SELinux be read in another location,
>>>>>>>>>>>> you would have to locate in
>>>>>>>>>>>> libselinux the location from where the library is
>>>>>>>>>>>> told to read the the policy, and simple just change the location,
>>>>>>>>>>>> but then you might have to change the kernel, all the libraries,
>>>>>>>>>>>> all apps, etc.. that read /etc/selinux/*
>>>>>>>>>>>> maybe a simple change of /etc/selinux/config
>>>>>>>>>>>> seems simpler. rather than going through
>>>>>>>>>>>> lines of code.
>>>>>>>>>>>> Anyways,
>>>>>>>>>>>> "Merry christmas"
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> regards;
>>>>>>>>>>>>
>>>>>>>>>>>> Justin P. Mattock
>>>>>>>>>>> You are right. I would like kernel to read policy just from different
>>>>>>>>>>> location.
>>>>>>>>>>>
>>>>>>>>>>> So options are as folowing:
>>>>>>>>>>> 1. Change libselinux sources and sources of all related apps + kernel.
>>>>>>>>>>> 2. Try to change /etc/selinux/config.
>>>>>>>>>>>
>>>>>>>>>>> Regarding second one - manuals on SELinux say that /etc/selinux/config
>>>>>>>>>>> contains name of policy to be loaded. And that name _policyname_ is a
>>>>>>>>>>> name of directory in /etc/selinux/_policyname_ having subdirectory
>>>>>>>>>>> policy with actual policy file.
>>>>>>>>>>>
>>>>>>>>>>> So, it seems only option #1 is the one to use.
>>>>>>>>>>>
>>>>>>>>>>> Does kernel use libselinux to read policy or it reads it directly from
>>>>>>>>>>> filesystem?
>>>>>>>>>>> Any other pitfalls?
>>>>>>>>>>>
>>>>>>>>>>> Tim
>>>>>>>>> --
>>>>>>>>> This message was distributed to subscribers of the selinux mailing list.
>>>>>>>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.govwith
>>>>>>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>>>>>>
>>>> Everything uses libselinux to find the paths to policy.  So if you
>>>> wanted to change the location of where SELinux stores the policy you
>>>> would need to modify libselinux.  In the file src/selinux_config.c
>>>> you would modify
>>>>
>>>> $ grep /etc/selinux src/selinux_config.c
>>>> #define SELINUXDIR "/etc/selinux/"
>>>>
>>>> All of the other paths are relative to this.
>>>>
>>>> I do not believe that we have hard coded this path in to any other user
>>>> tools.  If we have that is a bug.  I don't understand why you would want
>>>> to change this path, and would suggest that you use bind mounts or
>>>> remote mounts if you want these files to be located somewhere else.  You
>>>> would also need to maintain the file context if you do this.
>>>> The motivation for having alternative path for selinux policy
>>>> directory _policyname_ in /etc/selinux/_policyname_ is as following:
>>>> 1) I have legacy system that mounts root filesystem including
>>>> /etc/selinux/... in read-only mode;
>>>> 2) also the system mounts a writable filesystem;
>>>> 3) I can not change that behavior (modes of mounting, filesystem
>>>> types, sequence of mounting, number of mount points etc) of legacy
>>>> system for some reason;
>>>> 4) I can freely modify sources -> kernel, selinux-related (under above
>>>> limitations).
>>>> 5) there is a requirement to support modular policy infrastructure in
>>>> that system;
>>>> To do that I plan to make SELinux subsystem operate on policy-related
>>>> files on different location --> on writable filesystem.
>>>> Could you please clarify that?
> You would also need to maintain the file context if you do this.
> 
>>>> Tim
> If you want to maintain the SELinux files on say /var/lib/selinux then
> all of the file context under /var/lib/selinux needs to match that of
> /etc/selinux
> 
> So /var/lib/selinux/targeted needs to be labeled selinux_config_t.
> 
> In Rawhide for example I have the following labeling for /etc/selinux
> # grep /etc/selinux /etc/selinux/targeted/contexts/files/file_contexts
> /etc/selinux(/.*)?      system_u:object_r:selinux_config_t:s0
> /etc/selinux/([^/]*/)?seusers   --      system_u:object_r:selinux_config_t:s0
> /etc/selinux/([^/]*/)?users(/.*)?       --      system_u:object_r:selinux_config_t:s0
> /etc/selinux/([^/]*/)?policy(/.*)?      system_u:object_r:semanage_store_t:s0
> /etc/selinux/([^/]*/)?setrans\.conf     --      system_u:object_r:selinux_config_t:s0
> /etc/selinux/([^/]*/)?contexts(/.*)?    system_u:object_r:default_context_t:s0
> /etc/selinux/([^/]*/)?contexts/files(/.*)?
> system_u:object_r:file_context_t:s0
> /etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK      --
> system_u:object_r:semanage_read_lock_t:s0
> /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK     --
> system_u:object_r:semanage_trans_lock_t:s0
> /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)?
> system_u:object_r:semanage_store_t:s0
> 
> 
> You can setup a matching labels for /var/lib/selinux with the semanage
> command.
> 
> # semanage fcontext -a -t selinux_config_t '/var/lib/selinux(/.*)?'
> ...
> 
> 
>>
> Thank you for clarification.
> I will try to change suggested libselinux line to point into different
> location and post the results.

> Tim

Why not just use a bind mount on a regular mount, and then you do not
need to change the library at all?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklWO4MACgkQrlYvE4MpobPZsACg5YXltDIHUMA7001nNCdLO3C/
jBUAoNwSx/nVhejh+OdSAES9D6wJktao
=X1+b
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Alternative location of policy files

[Tim]

2008/12/27 Daniel J Walsh <dwalsh@redhat.com>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Tim wrote:
>> 2008/12/27 Daniel J Walsh <dwalsh@redhat.com>:
>> Tim wrote:
>>>>> 2008/12/27 Daniel J Walsh <dwalsh@redhat.com>:
>>>>> xing li wrote:
>>>>>>>> 2008/12/27 xing li <lixing.1006@gmail.com>
>>>>>>>>
>>>>>>>>> It's work was rearly done in the "/sbin/init"  until the last step of
>>>>>>>>> system initialization, while the source
>>>>>>>>> of "/sbin/init" is included in the sysvinit. and it finally invoked
>>>>>>>>> "security_load_policy()" to load the binary
>>>>>>>>> policy "policy.XX" to the kernel structure policydb.
>>>>>>>>>
>>>>>>>>> and i have confused by the question:
>>>>>>>>> when and how the selinux label the all file system according
>>>>>>>>> to "file_contexts"?
>>>>>>>>> and i found the clue that when we "touch /.autorelabel",the system would
>>>>>>>>> invoke
>>>>>>>>> "fixfiles relabel" to relabel the file system. but i could't find the
>>>>>>>>> relevant source code.
>>>>>>>>> Maybt somebody has investigated that and could share infomation?
>>>>>>>>>
>>>>>>>>> 2008/12/27 Tim <timasyk@gmail.com>
>>>>>>>>>
>>>>>>>>> OK. I'm trying to trace Linux sources to find exact sequence of
>>>>>>>>>> function calls for loading  SELinux policy into Linux kernel at boot
>>>>>>>>>> time. And I've lost... to many calls to trace.
>>>>>>>>>>
>>>>>>>>>> Maybe somebody has that tracing already and can share information?
>>>>>>>>>>
>>>>>>>>>> Tim
>>>>>>>>>>
>>>>>>>>>> 2008/12/26 Justin P. Mattock <justinmattock@gmail.com>:
>>>>>>>>>>  > I think, one of the main jobs
>>>>>>>>>>> For libselinux is reading the
>>>>>>>>>>> Policy, from it specefied location
>>>>>>>>>>> And then mounting the selinuxfs.
>>>>>>>>>>> Or vise versa mounting selinuxfs,
>>>>>>>>>>> And then reading the policy. As
>>>>>>>>>>> For changing the location, not
>>>>>>>>>>> To sure what the code looks like,
>>>>>>>>>>> Maybe it's just a few liners to
>>>>>>>>>>> Do what you wanted.
>>>>>>>>>>>
>>>>>>>>>>> justin P. Mattock
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On Dec 25, 2008, at 5:36 AM, Tim <timasyk@gmail.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>> 2008/12/25 Justin P. Mattock <justinmattock@gmail.com>:
>>>>>>>>>>>>> Justin P. Mattock wrote:
>>>>>>>>>>>>>> Paul Howarth wrote:
>>>>>>>>>>>>>>> Tim wrote:
>>>>>>>>>>>>>>>> Hello all,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I was wondering, how can I change default location of SELinux
>>>>>>>>>> policy
>>>>>>>>>>>>>>>> from /etc/selinux/_policyname_ to some other path?
>>>>>>>>>>>>>>>> What source codes should be modified for that?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> The reason to do that are:
>>>>>>>>>>>>>>>> - I want to work with loadable policy modules --> that requires
>>>>>>>>>>>>>>>> /etc/selinux/_policyname_ directory to be writable.
>>>>>>>>>>>>>>>> - limitation of my filesystem having /etc directory (it is
>>>>>>>>>> read-only
>>>>>>>>>>>>>>>> filesystem)
>>>>>>>>>>>>>>>> - unfortunately, I can not mount /etc into some other writable
>>>>>>>>>>>>>>>> filesystem
>>>>>>>>>>>>>>> Perhaps you could mount /etc/selinux/_policyname_ rather than /etc
>>>>>>>>>> from
>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>> writeable filesystem?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Paul.
>>>>>>>>>>>>>>> cy
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> This message was distributed to subscribers of the selinux mailing
>>>>>>>>>>>>>>> list.
>>>>>>>>>>>>>>> If you no longer wish to subscribe, send mail to
>>>>>>>>>>>>>>> majordomo@tycho.nsa.gov
>>>>>>>>>>>>>>> with
>>>>>>>>>>>>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> This is confusing to me:
>>>>>>>>>>>>>> it sounds like there not trying to mount
>>>>>>>>>>>>>> SELinux, but have the policy load
>>>>>>>>>>>>>> in a different location other than
>>>>>>>>>>>>>> /etc/selinux/*
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> regards;
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Justin P. Mattock
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>> On second thought  from what  it  sounds,
>>>>>>>>>>>>> to have SELinux be read in another location,
>>>>>>>>>>>>> you would have to locate in
>>>>>>>>>>>>> libselinux the location from where the library is
>>>>>>>>>>>>> told to read the the policy, and simple just change the location,
>>>>>>>>>>>>> but then you might have to change the kernel, all the libraries,
>>>>>>>>>>>>> all apps, etc.. that read /etc/selinux/*
>>>>>>>>>>>>> maybe a simple change of /etc/selinux/config
>>>>>>>>>>>>> seems simpler. rather than going through
>>>>>>>>>>>>> lines of code.
>>>>>>>>>>>>> Anyways,
>>>>>>>>>>>>> "Merry christmas"
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> regards;
>>>>>>>>>>>>>
>>>>>>>>>>>>> Justin P. Mattock
>>>>>>>>>>>> You are right. I would like kernel to read policy just from different
>>>>>>>>>>>> location.
>>>>>>>>>>>>
>>>>>>>>>>>> So options are as folowing:
>>>>>>>>>>>> 1. Change libselinux sources and sources of all related apps + kernel.
>>>>>>>>>>>> 2. Try to change /etc/selinux/config.
>>>>>>>>>>>>
>>>>>>>>>>>> Regarding second one - manuals on SELinux say that /etc/selinux/config
>>>>>>>>>>>> contains name of policy to be loaded. And that name _policyname_ is a
>>>>>>>>>>>> name of directory in /etc/selinux/_policyname_ having subdirectory
>>>>>>>>>>>> policy with actual policy file.
>>>>>>>>>>>>
>>>>>>>>>>>> So, it seems only option #1 is the one to use.
>>>>>>>>>>>>
>>>>>>>>>>>> Does kernel use libselinux to read policy or it reads it directly from
>>>>>>>>>>>> filesystem?
>>>>>>>>>>>> Any other pitfalls?
>>>>>>>>>>>>
>>>>>>>>>>>> Tim
>>>>>>>>>> --
>>>>>>>>>> This message was distributed to subscribers of the selinux mailing list.
>>>>>>>>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.govwith
>>>>>>>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>>>>>>>
>>>>> Everything uses libselinux to find the paths to policy.  So if you
>>>>> wanted to change the location of where SELinux stores the policy you
>>>>> would need to modify libselinux.  In the file src/selinux_config.c
>>>>> you would modify
>>>>>
>>>>> $ grep /etc/selinux src/selinux_config.c
>>>>> #define SELINUXDIR "/etc/selinux/"
>>>>>
>>>>> All of the other paths are relative to this.
>>>>>
>>>>> I do not believe that we have hard coded this path in to any other user
>>>>> tools.  If we have that is a bug.  I don't understand why you would want
>>>>> to change this path, and would suggest that you use bind mounts or
>>>>> remote mounts if you want these files to be located somewhere else.  You
>>>>> would also need to maintain the file context if you do this.
>>>>> The motivation for having alternative path for selinux policy
>>>>> directory _policyname_ in /etc/selinux/_policyname_ is as following:
>>>>> 1) I have legacy system that mounts root filesystem including
>>>>> /etc/selinux/... in read-only mode;
>>>>> 2) also the system mounts a writable filesystem;
>>>>> 3) I can not change that behavior (modes of mounting, filesystem
>>>>> types, sequence of mounting, number of mount points etc) of legacy
>>>>> system for some reason;
>>>>> 4) I can freely modify sources -> kernel, selinux-related (under above
>>>>> limitations).
>>>>> 5) there is a requirement to support modular policy infrastructure in
>>>>> that system;
>>>>> To do that I plan to make SELinux subsystem operate on policy-related
>>>>> files on different location --> on writable filesystem.
>>>>> Could you please clarify that?
>> You would also need to maintain the file context if you do this.
>>
>>>>> Tim
>> If you want to maintain the SELinux files on say /var/lib/selinux then
>> all of the file context under /var/lib/selinux needs to match that of
>> /etc/selinux
>>
>> So /var/lib/selinux/targeted needs to be labeled selinux_config_t.
>>
>> In Rawhide for example I have the following labeling for /etc/selinux
>> # grep /etc/selinux /etc/selinux/targeted/contexts/files/file_contexts
>> /etc/selinux(/.*)?      system_u:object_r:selinux_config_t:s0
>> /etc/selinux/([^/]*/)?seusers   --      system_u:object_r:selinux_config_t:s0
>> /etc/selinux/([^/]*/)?users(/.*)?       --      system_u:object_r:selinux_config_t:s0
>> /etc/selinux/([^/]*/)?policy(/.*)?      system_u:object_r:semanage_store_t:s0
>> /etc/selinux/([^/]*/)?setrans\.conf     --      system_u:object_r:selinux_config_t:s0
>> /etc/selinux/([^/]*/)?contexts(/.*)?    system_u:object_r:default_context_t:s0
>> /etc/selinux/([^/]*/)?contexts/files(/.*)?
>> system_u:object_r:file_context_t:s0
>> /etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK      --
>> system_u:object_r:semanage_read_lock_t:s0
>> /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK     --
>> system_u:object_r:semanage_trans_lock_t:s0
>> /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)?
>> system_u:object_r:semanage_store_t:s0
>>
>>
>> You can setup a matching labels for /var/lib/selinux with the semanage
>> command.
>>
>> # semanage fcontext -a -t selinux_config_t '/var/lib/selinux(/.*)?'
>> ...
>>
>>
>>>
>> Thank you for clarification.
>> I will try to change suggested libselinux line to point into different
>> location and post the results.
>
>> Tim
>
> Why not just use a bind mount on a regular mount, and then you do not
> need to change the library at all?
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAklWO4MACgkQrlYvE4MpobPZsACg5YXltDIHUMA7001nNCdLO3C/
> jBUAoNwSx/nVhejh+OdSAES9D6wJktao
> =X1+b
> -----END PGP SIGNATURE-----
>
Sure, I will try mount --bind before modification of any source.

Tim

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Alternative location of policy files

[Tim]

2008/12/28 Tim <timasyk@gmail.com>:
> 2008/12/27 Daniel J Walsh <dwalsh@redhat.com>:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Tim wrote:
>>> 2008/12/27 Daniel J Walsh <dwalsh@redhat.com>:
>>> Tim wrote:
>>>>>> 2008/12/27 Daniel J Walsh <dwalsh@redhat.com>:
>>>>>> xing li wrote:
>>>>>>>>> 2008/12/27 xing li <lixing.1006@gmail.com>
>>>>>>>>>
>>>>>>>>>> It's work was rearly done in the "/sbin/init"  until the last step of
>>>>>>>>>> system initialization, while the source
>>>>>>>>>> of "/sbin/init" is included in the sysvinit. and it finally invoked
>>>>>>>>>> "security_load_policy()" to load the binary
>>>>>>>>>> policy "policy.XX" to the kernel structure policydb.
>>>>>>>>>>
>>>>>>>>>> and i have confused by the question:
>>>>>>>>>> when and how the selinux label the all file system according
>>>>>>>>>> to "file_contexts"?
>>>>>>>>>> and i found the clue that when we "touch /.autorelabel",the system would
>>>>>>>>>> invoke
>>>>>>>>>> "fixfiles relabel" to relabel the file system. but i could't find the
>>>>>>>>>> relevant source code.
>>>>>>>>>> Maybt somebody has investigated that and could share infomation?
>>>>>>>>>>
>>>>>>>>>> 2008/12/27 Tim <timasyk@gmail.com>
>>>>>>>>>>
>>>>>>>>>> OK. I'm trying to trace Linux sources to find exact sequence of
>>>>>>>>>>> function calls for loading  SELinux policy into Linux kernel at boot
>>>>>>>>>>> time. And I've lost... to many calls to trace.
>>>>>>>>>>>
>>>>>>>>>>> Maybe somebody has that tracing already and can share information?
>>>>>>>>>>>
>>>>>>>>>>> Tim
>>>>>>>>>>>
>>>>>>>>>>> 2008/12/26 Justin P. Mattock <justinmattock@gmail.com>:
>>>>>>>>>>>  > I think, one of the main jobs
>>>>>>>>>>>> For libselinux is reading the
>>>>>>>>>>>> Policy, from it specefied location
>>>>>>>>>>>> And then mounting the selinuxfs.
>>>>>>>>>>>> Or vise versa mounting selinuxfs,
>>>>>>>>>>>> And then reading the policy. As
>>>>>>>>>>>> For changing the location, not
>>>>>>>>>>>> To sure what the code looks like,
>>>>>>>>>>>> Maybe it's just a few liners to
>>>>>>>>>>>> Do what you wanted.
>>>>>>>>>>>>
>>>>>>>>>>>> justin P. Mattock
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On Dec 25, 2008, at 5:36 AM, Tim <timasyk@gmail.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> 2008/12/25 Justin P. Mattock <justinmattock@gmail.com>:
>>>>>>>>>>>>>> Justin P. Mattock wrote:
>>>>>>>>>>>>>>> Paul Howarth wrote:
>>>>>>>>>>>>>>>> Tim wrote:
>>>>>>>>>>>>>>>>> Hello all,
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I was wondering, how can I change default location of SELinux
>>>>>>>>>>> policy
>>>>>>>>>>>>>>>>> from /etc/selinux/_policyname_ to some other path?
>>>>>>>>>>>>>>>>> What source codes should be modified for that?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> The reason to do that are:
>>>>>>>>>>>>>>>>> - I want to work with loadable policy modules --> that requires
>>>>>>>>>>>>>>>>> /etc/selinux/_policyname_ directory to be writable.
>>>>>>>>>>>>>>>>> - limitation of my filesystem having /etc directory (it is
>>>>>>>>>>> read-only
>>>>>>>>>>>>>>>>> filesystem)
>>>>>>>>>>>>>>>>> - unfortunately, I can not mount /etc into some other writable
>>>>>>>>>>>>>>>>> filesystem
>>>>>>>>>>>>>>>> Perhaps you could mount /etc/selinux/_policyname_ rather than /etc
>>>>>>>>>>> from
>>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>>> writeable filesystem?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Paul.
>>>>>>>>>>>>>>>> cy
>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>> This message was distributed to subscribers of the selinux mailing
>>>>>>>>>>>>>>>> list.
>>>>>>>>>>>>>>>> If you no longer wish to subscribe, send mail to
>>>>>>>>>>>>>>>> majordomo@tycho.nsa.gov
>>>>>>>>>>>>>>>> with
>>>>>>>>>>>>>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> This is confusing to me:
>>>>>>>>>>>>>>> it sounds like there not trying to mount
>>>>>>>>>>>>>>> SELinux, but have the policy load
>>>>>>>>>>>>>>> in a different location other than
>>>>>>>>>>>>>>> /etc/selinux/*
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> regards;
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Justin P. Mattock
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On second thought  from what  it  sounds,
>>>>>>>>>>>>>> to have SELinux be read in another location,
>>>>>>>>>>>>>> you would have to locate in
>>>>>>>>>>>>>> libselinux the location from where the library is
>>>>>>>>>>>>>> told to read the the policy, and simple just change the location,
>>>>>>>>>>>>>> but then you might have to change the kernel, all the libraries,
>>>>>>>>>>>>>> all apps, etc.. that read /etc/selinux/*
>>>>>>>>>>>>>> maybe a simple change of /etc/selinux/config
>>>>>>>>>>>>>> seems simpler. rather than going through
>>>>>>>>>>>>>> lines of code.
>>>>>>>>>>>>>> Anyways,
>>>>>>>>>>>>>> "Merry christmas"
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> regards;
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Justin P. Mattock
>>>>>>>>>>>>> You are right. I would like kernel to read policy just from different
>>>>>>>>>>>>> location.
>>>>>>>>>>>>>
>>>>>>>>>>>>> So options are as folowing:
>>>>>>>>>>>>> 1. Change libselinux sources and sources of all related apps + kernel.
>>>>>>>>>>>>> 2. Try to change /etc/selinux/config.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Regarding second one - manuals on SELinux say that /etc/selinux/config
>>>>>>>>>>>>> contains name of policy to be loaded. And that name _policyname_ is a
>>>>>>>>>>>>> name of directory in /etc/selinux/_policyname_ having subdirectory
>>>>>>>>>>>>> policy with actual policy file.
>>>>>>>>>>>>>
>>>>>>>>>>>>> So, it seems only option #1 is the one to use.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Does kernel use libselinux to read policy or it reads it directly from
>>>>>>>>>>>>> filesystem?
>>>>>>>>>>>>> Any other pitfalls?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Tim
>>>>>>>>>>> --
>>>>>>>>>>> This message was distributed to subscribers of the selinux mailing list.
>>>>>>>>>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.govwith
>>>>>>>>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>>>>>>>>
>>>>>> Everything uses libselinux to find the paths to policy.  So if you
>>>>>> wanted to change the location of where SELinux stores the policy you
>>>>>> would need to modify libselinux.  In the file src/selinux_config.c
>>>>>> you would modify
>>>>>>
>>>>>> $ grep /etc/selinux src/selinux_config.c
>>>>>> #define SELINUXDIR "/etc/selinux/"
>>>>>>
>>>>>> All of the other paths are relative to this.
>>>>>>
>>>>>> I do not believe that we have hard coded this path in to any other user
>>>>>> tools.  If we have that is a bug.  I don't understand why you would want
>>>>>> to change this path, and would suggest that you use bind mounts or
>>>>>> remote mounts if you want these files to be located somewhere else.  You
>>>>>> would also need to maintain the file context if you do this.
>>>>>> The motivation for having alternative path for selinux policy
>>>>>> directory _policyname_ in /etc/selinux/_policyname_ is as following:
>>>>>> 1) I have legacy system that mounts root filesystem including
>>>>>> /etc/selinux/... in read-only mode;
>>>>>> 2) also the system mounts a writable filesystem;
>>>>>> 3) I can not change that behavior (modes of mounting, filesystem
>>>>>> types, sequence of mounting, number of mount points etc) of legacy
>>>>>> system for some reason;
>>>>>> 4) I can freely modify sources -> kernel, selinux-related (under above
>>>>>> limitations).
>>>>>> 5) there is a requirement to support modular policy infrastructure in
>>>>>> that system;
>>>>>> To do that I plan to make SELinux subsystem operate on policy-related
>>>>>> files on different location --> on writable filesystem.
>>>>>> Could you please clarify that?
>>> You would also need to maintain the file context if you do this.
>>>
>>>>>> Tim
>>> If you want to maintain the SELinux files on say /var/lib/selinux then
>>> all of the file context under /var/lib/selinux needs to match that of
>>> /etc/selinux
>>>
>>> So /var/lib/selinux/targeted needs to be labeled selinux_config_t.
>>>
>>> In Rawhide for example I have the following labeling for /etc/selinux
>>> # grep /etc/selinux /etc/selinux/targeted/contexts/files/file_contexts
>>> /etc/selinux(/.*)?      system_u:object_r:selinux_config_t:s0
>>> /etc/selinux/([^/]*/)?seusers   --      system_u:object_r:selinux_config_t:s0
>>> /etc/selinux/([^/]*/)?users(/.*)?       --      system_u:object_r:selinux_config_t:s0
>>> /etc/selinux/([^/]*/)?policy(/.*)?      system_u:object_r:semanage_store_t:s0
>>> /etc/selinux/([^/]*/)?setrans\.conf     --      system_u:object_r:selinux_config_t:s0
>>> /etc/selinux/([^/]*/)?contexts(/.*)?    system_u:object_r:default_context_t:s0
>>> /etc/selinux/([^/]*/)?contexts/files(/.*)?
>>> system_u:object_r:file_context_t:s0
>>> /etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK      --
>>> system_u:object_r:semanage_read_lock_t:s0
>>> /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK     --
>>> system_u:object_r:semanage_trans_lock_t:s0
>>> /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)?
>>> system_u:object_r:semanage_store_t:s0
>>>
>>>
>>> You can setup a matching labels for /var/lib/selinux with the semanage
>>> command.
>>>
>>> # semanage fcontext -a -t selinux_config_t '/var/lib/selinux(/.*)?'
>>> ...
>>>
>>>
>>>>
>>> Thank you for clarification.
>>> I will try to change suggested libselinux line to point into different
>>> location and post the results.
>>
>>> Tim
>>
>> Why not just use a bind mount on a regular mount, and then you do not
>> need to change the library at all?
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.9 (GNU/Linux)
>> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>>
>> iEYEARECAAYFAklWO4MACgkQrlYvE4MpobPZsACg5YXltDIHUMA7001nNCdLO3C/
>> jBUAoNwSx/nVhejh+OdSAES9D6wJktao
>> =X1+b
>> -----END PGP SIGNATURE-----
>>
> Sure, I will try mount --bind before modification of any source.
>
> Tim
>
Results on mount --bind
1) mount --bind /etc/selinnux /opt/mypolicy
fails since /etc/selinnux is not a device.
I think the reason is that /etc/selinnux is part of root filesystem,
not separate filesystem. So mount can not handle it.
2) Straight modification of policy path in libselinux to point into
writable filesystem also did not helped at boot.
Reason: policy reading is done at very early stage - a way _before_
the writable filesystem is mounted.

Any ideas for that?

Tim

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Alternative location of policy files

[Tom London]

On Sat, Dec 27, 2008 at 5:07 PM, Tim <timasyk@gmail.com> wrote:
> 2008/12/28 Tim <timasyk@gmail.com>:
>> 2008/12/27 Daniel J Walsh <dwalsh@redhat.com>:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Tim wrote:
>>>> 2008/12/27 Daniel J Walsh <dwalsh@redhat.com>:
>>>> Tim wrote:
>>>>>>> 2008/12/27 Daniel J Walsh <dwalsh@redhat.com>:
>>>>>>> xing li wrote:
>>>>>>>>>> 2008/12/27 xing li <lixing.1006@gmail.com>
>>>>>>>>>>
>>>>>>>>>>> It's work was rearly done in the "/sbin/init"  until the last step of
>>>>>>>>>>> system initialization, while the source
>>>>>>>>>>> of "/sbin/init" is included in the sysvinit. and it finally invoked
>>>>>>>>>>> "security_load_policy()" to load the binary
>>>>>>>>>>> policy "policy.XX" to the kernel structure policydb.
>>>>>>>>>>>
>>>>>>>>>>> and i have confused by the question:
>>>>>>>>>>> when and how the selinux label the all file system according
>>>>>>>>>>> to "file_contexts"?
>>>>>>>>>>> and i found the clue that when we "touch /.autorelabel",the system would
>>>>>>>>>>> invoke
>>>>>>>>>>> "fixfiles relabel" to relabel the file system. but i could't find the
>>>>>>>>>>> relevant source code.
>>>>>>>>>>> Maybt somebody has investigated that and could share infomation?
>>>>>>>>>>>
>>>>>>>>>>> 2008/12/27 Tim <timasyk@gmail.com>
>>>>>>>>>>>
>>>>>>>>>>> OK. I'm trying to trace Linux sources to find exact sequence of
>>>>>>>>>>>> function calls for loading  SELinux policy into Linux kernel at boot
>>>>>>>>>>>> time. And I've lost... to many calls to trace.
>>>>>>>>>>>>
>>>>>>>>>>>> Maybe somebody has that tracing already and can share information?
>>>>>>>>>>>>
>>>>>>>>>>>> Tim
>>>>>>>>>>>>
>>>>>>>>>>>> 2008/12/26 Justin P. Mattock <justinmattock@gmail.com>:
>>>>>>>>>>>>  > I think, one of the main jobs
>>>>>>>>>>>>> For libselinux is reading the
>>>>>>>>>>>>> Policy, from it specefied location
>>>>>>>>>>>>> And then mounting the selinuxfs.
>>>>>>>>>>>>> Or vise versa mounting selinuxfs,
>>>>>>>>>>>>> And then reading the policy. As
>>>>>>>>>>>>> For changing the location, not
>>>>>>>>>>>>> To sure what the code looks like,
>>>>>>>>>>>>> Maybe it's just a few liners to
>>>>>>>>>>>>> Do what you wanted.
>>>>>>>>>>>>>
>>>>>>>>>>>>> justin P. Mattock
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Dec 25, 2008, at 5:36 AM, Tim <timasyk@gmail.com> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>> 2008/12/25 Justin P. Mattock <justinmattock@gmail.com>:
>>>>>>>>>>>>>>> Justin P. Mattock wrote:
>>>>>>>>>>>>>>>> Paul Howarth wrote:
>>>>>>>>>>>>>>>>> Tim wrote:
>>>>>>>>>>>>>>>>>> Hello all,
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> I was wondering, how can I change default location of SELinux
>>>>>>>>>>>> policy
>>>>>>>>>>>>>>>>>> from /etc/selinux/_policyname_ to some other path?
>>>>>>>>>>>>>>>>>> What source codes should be modified for that?
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> The reason to do that are:
>>>>>>>>>>>>>>>>>> - I want to work with loadable policy modules --> that requires
>>>>>>>>>>>>>>>>>> /etc/selinux/_policyname_ directory to be writable.
>>>>>>>>>>>>>>>>>> - limitation of my filesystem having /etc directory (it is
>>>>>>>>>>>> read-only
>>>>>>>>>>>>>>>>>> filesystem)
>>>>>>>>>>>>>>>>>> - unfortunately, I can not mount /etc into some other writable
>>>>>>>>>>>>>>>>>> filesystem
>>>>>>>>>>>>>>>>> Perhaps you could mount /etc/selinux/_policyname_ rather than /etc
>>>>>>>>>>>> from
>>>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>>>> writeable filesystem?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Paul.
>>>>>>>>>>>>>>>>> cy
>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>> This message was distributed to subscribers of the selinux mailing
>>>>>>>>>>>>>>>>> list.
>>>>>>>>>>>>>>>>> If you no longer wish to subscribe, send mail to
>>>>>>>>>>>>>>>>> majordomo@tycho.nsa.gov
>>>>>>>>>>>>>>>>> with
>>>>>>>>>>>>>>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> This is confusing to me:
>>>>>>>>>>>>>>>> it sounds like there not trying to mount
>>>>>>>>>>>>>>>> SELinux, but have the policy load
>>>>>>>>>>>>>>>> in a different location other than
>>>>>>>>>>>>>>>> /etc/selinux/*
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> regards;
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Justin P. Mattock
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On second thought  from what  it  sounds,
>>>>>>>>>>>>>>> to have SELinux be read in another location,
>>>>>>>>>>>>>>> you would have to locate in
>>>>>>>>>>>>>>> libselinux the location from where the library is
>>>>>>>>>>>>>>> told to read the the policy, and simple just change the location,
>>>>>>>>>>>>>>> but then you might have to change the kernel, all the libraries,
>>>>>>>>>>>>>>> all apps, etc.. that read /etc/selinux/*
>>>>>>>>>>>>>>> maybe a simple change of /etc/selinux/config
>>>>>>>>>>>>>>> seems simpler. rather than going through
>>>>>>>>>>>>>>> lines of code.
>>>>>>>>>>>>>>> Anyways,
>>>>>>>>>>>>>>> "Merry christmas"
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> regards;
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Justin P. Mattock
>>>>>>>>>>>>>> You are right. I would like kernel to read policy just from different
>>>>>>>>>>>>>> location.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> So options are as folowing:
>>>>>>>>>>>>>> 1. Change libselinux sources and sources of all related apps + kernel.
>>>>>>>>>>>>>> 2. Try to change /etc/selinux/config.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Regarding second one - manuals on SELinux say that /etc/selinux/config
>>>>>>>>>>>>>> contains name of policy to be loaded. And that name _policyname_ is a
>>>>>>>>>>>>>> name of directory in /etc/selinux/_policyname_ having subdirectory
>>>>>>>>>>>>>> policy with actual policy file.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> So, it seems only option #1 is the one to use.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Does kernel use libselinux to read policy or it reads it directly from
>>>>>>>>>>>>>> filesystem?
>>>>>>>>>>>>>> Any other pitfalls?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Tim
>>>>>>>>>>>> --
>>>>>>>>>>>> This message was distributed to subscribers of the selinux mailing list.
>>>>>>>>>>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.govwith
>>>>>>>>>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>>>>>>>>>
>>>>>>> Everything uses libselinux to find the paths to policy.  So if you
>>>>>>> wanted to change the location of where SELinux stores the policy you
>>>>>>> would need to modify libselinux.  In the file src/selinux_config.c
>>>>>>> you would modify
>>>>>>>
>>>>>>> $ grep /etc/selinux src/selinux_config.c
>>>>>>> #define SELINUXDIR "/etc/selinux/"
>>>>>>>
>>>>>>> All of the other paths are relative to this.
>>>>>>>
>>>>>>> I do not believe that we have hard coded this path in to any other user
>>>>>>> tools.  If we have that is a bug.  I don't understand why you would want
>>>>>>> to change this path, and would suggest that you use bind mounts or
>>>>>>> remote mounts if you want these files to be located somewhere else.  You
>>>>>>> would also need to maintain the file context if you do this.
>>>>>>> The motivation for having alternative path for selinux policy
>>>>>>> directory _policyname_ in /etc/selinux/_policyname_ is as following:
>>>>>>> 1) I have legacy system that mounts root filesystem including
>>>>>>> /etc/selinux/... in read-only mode;
>>>>>>> 2) also the system mounts a writable filesystem;
>>>>>>> 3) I can not change that behavior (modes of mounting, filesystem
>>>>>>> types, sequence of mounting, number of mount points etc) of legacy
>>>>>>> system for some reason;
>>>>>>> 4) I can freely modify sources -> kernel, selinux-related (under above
>>>>>>> limitations).
>>>>>>> 5) there is a requirement to support modular policy infrastructure in
>>>>>>> that system;
>>>>>>> To do that I plan to make SELinux subsystem operate on policy-related
>>>>>>> files on different location --> on writable filesystem.
>>>>>>> Could you please clarify that?
>>>> You would also need to maintain the file context if you do this.
>>>>
>>>>>>> Tim
>>>> If you want to maintain the SELinux files on say /var/lib/selinux then
>>>> all of the file context under /var/lib/selinux needs to match that of
>>>> /etc/selinux
>>>>
>>>> So /var/lib/selinux/targeted needs to be labeled selinux_config_t.
>>>>
>>>> In Rawhide for example I have the following labeling for /etc/selinux
>>>> # grep /etc/selinux /etc/selinux/targeted/contexts/files/file_contexts
>>>> /etc/selinux(/.*)?      system_u:object_r:selinux_config_t:s0
>>>> /etc/selinux/([^/]*/)?seusers   --      system_u:object_r:selinux_config_t:s0
>>>> /etc/selinux/([^/]*/)?users(/.*)?       --      system_u:object_r:selinux_config_t:s0
>>>> /etc/selinux/([^/]*/)?policy(/.*)?      system_u:object_r:semanage_store_t:s0
>>>> /etc/selinux/([^/]*/)?setrans\.conf     --      system_u:object_r:selinux_config_t:s0
>>>> /etc/selinux/([^/]*/)?contexts(/.*)?    system_u:object_r:default_context_t:s0
>>>> /etc/selinux/([^/]*/)?contexts/files(/.*)?
>>>> system_u:object_r:file_context_t:s0
>>>> /etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK      --
>>>> system_u:object_r:semanage_read_lock_t:s0
>>>> /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK     --
>>>> system_u:object_r:semanage_trans_lock_t:s0
>>>> /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)?
>>>> system_u:object_r:semanage_store_t:s0
>>>>
>>>>
>>>> You can setup a matching labels for /var/lib/selinux with the semanage
>>>> command.
>>>>
>>>> # semanage fcontext -a -t selinux_config_t '/var/lib/selinux(/.*)?'
>>>> ...
>>>>
>>>>
>>>>>
>>>> Thank you for clarification.
>>>> I will try to change suggested libselinux line to point into different
>>>> location and post the results.
>>>
>>>> Tim
>>>
>>> Why not just use a bind mount on a regular mount, and then you do not
>>> need to change the library at all?
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.4.9 (GNU/Linux)
>>> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>>>
>>> iEYEARECAAYFAklWO4MACgkQrlYvE4MpobPZsACg5YXltDIHUMA7001nNCdLO3C/
>>> jBUAoNwSx/nVhejh+OdSAES9D6wJktao
>>> =X1+b
>>> -----END PGP SIGNATURE-----
>>>
>> Sure, I will try mount --bind before modification of any source.
>>
>> Tim
>>
> Results on mount --bind
> 1) mount --bind /etc/selinnux /opt/mypolicy
> fails since /etc/selinnux is not a device.
> I think the reason is that /etc/selinnux is part of root filesystem,
> not separate filesystem. So mount can not handle it.
> 2) Straight modification of policy path in libselinux to point into
> writable filesystem also did not helped at boot.
> Reason: policy reading is done at very early stage - a way _before_
> the writable filesystem is mounted.
>
> Any ideas for that?
>
> Tim
>

"mount --bind" works for me:

[root@tlondon ~]# mkdir foobar
[root@tlondon ~]# mount --bind /etc/selinux foobar
[root@tlondon ~]# ls -l foobar
total 16
-rw-r--r-- 1 root root  483 2008-12-27 08:56 config
-rw------- 1 root root  133 2008-12-10 06:22 restorecond.conf
-rw-r--r-- 1 root root 1766 2008-12-04 13:12 semanage.conf
drwxr-xr-x 5 root root 4096 2008-12-27 08:57 targeted
[root@tlondon ~]#

I notice that you spelled '/etc/selinux' as '/etc/selinnux'.

That produces the following:
[root@tlondon ~]# mount --bind /etc/selinnux foobar
mount: special device /etc/selinnux does not exist
[root@tlondon ~]#

Does that help?

tom
-- 
Tom London

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Alternative location of policy files

[Tim]

2008/12/28 Tom London <selinux@gmail.com>:
> On Sat, Dec 27, 2008 at 5:07 PM, Tim <timasyk@gmail.com> wrote:
>> 2008/12/28 Tim <timasyk@gmail.com>:
>>> 2008/12/27 Daniel J Walsh <dwalsh@redhat.com>:
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> Tim wrote:
>>>>> 2008/12/27 Daniel J Walsh <dwalsh@redhat.com>:
>>>>> Tim wrote:
>>>>>>>> 2008/12/27 Daniel J Walsh <dwalsh@redhat.com>:
>>>>>>>> xing li wrote:
>>>>>>>>>>> 2008/12/27 xing li <lixing.1006@gmail.com>
>>>>>>>>>>>
>>>>>>>>>>>> It's work was rearly done in the "/sbin/init"  until the last step of
>>>>>>>>>>>> system initialization, while the source
>>>>>>>>>>>> of "/sbin/init" is included in the sysvinit. and it finally invoked
>>>>>>>>>>>> "security_load_policy()" to load the binary
>>>>>>>>>>>> policy "policy.XX" to the kernel structure policydb.
>>>>>>>>>>>>
>>>>>>>>>>>> and i have confused by the question:
>>>>>>>>>>>> when and how the selinux label the all file system according
>>>>>>>>>>>> to "file_contexts"?
>>>>>>>>>>>> and i found the clue that when we "touch /.autorelabel",the system would
>>>>>>>>>>>> invoke
>>>>>>>>>>>> "fixfiles relabel" to relabel the file system. but i could't find the
>>>>>>>>>>>> relevant source code.
>>>>>>>>>>>> Maybt somebody has investigated that and could share infomation?
>>>>>>>>>>>>
>>>>>>>>>>>> 2008/12/27 Tim <timasyk@gmail.com>
>>>>>>>>>>>>
>>>>>>>>>>>> OK. I'm trying to trace Linux sources to find exact sequence of
>>>>>>>>>>>>> function calls for loading  SELinux policy into Linux kernel at boot
>>>>>>>>>>>>> time. And I've lost... to many calls to trace.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Maybe somebody has that tracing already and can share information?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Tim
>>>>>>>>>>>>>
>>>>>>>>>>>>> 2008/12/26 Justin P. Mattock <justinmattock@gmail.com>:
>>>>>>>>>>>>>  > I think, one of the main jobs
>>>>>>>>>>>>>> For libselinux is reading the
>>>>>>>>>>>>>> Policy, from it specefied location
>>>>>>>>>>>>>> And then mounting the selinuxfs.
>>>>>>>>>>>>>> Or vise versa mounting selinuxfs,
>>>>>>>>>>>>>> And then reading the policy. As
>>>>>>>>>>>>>> For changing the location, not
>>>>>>>>>>>>>> To sure what the code looks like,
>>>>>>>>>>>>>> Maybe it's just a few liners to
>>>>>>>>>>>>>> Do what you wanted.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> justin P. Mattock
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Dec 25, 2008, at 5:36 AM, Tim <timasyk@gmail.com> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> 2008/12/25 Justin P. Mattock <justinmattock@gmail.com>:
>>>>>>>>>>>>>>>> Justin P. Mattock wrote:
>>>>>>>>>>>>>>>>> Paul Howarth wrote:
>>>>>>>>>>>>>>>>>> Tim wrote:
>>>>>>>>>>>>>>>>>>> Hello all,
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> I was wondering, how can I change default location of SELinux
>>>>>>>>>>>>> policy
>>>>>>>>>>>>>>>>>>> from /etc/selinux/_policyname_ to some other path?
>>>>>>>>>>>>>>>>>>> What source codes should be modified for that?
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> The reason to do that are:
>>>>>>>>>>>>>>>>>>> - I want to work with loadable policy modules --> that requires
>>>>>>>>>>>>>>>>>>> /etc/selinux/_policyname_ directory to be writable.
>>>>>>>>>>>>>>>>>>> - limitation of my filesystem having /etc directory (it is
>>>>>>>>>>>>> read-only
>>>>>>>>>>>>>>>>>>> filesystem)
>>>>>>>>>>>>>>>>>>> - unfortunately, I can not mount /etc into some other writable
>>>>>>>>>>>>>>>>>>> filesystem
>>>>>>>>>>>>>>>>>> Perhaps you could mount /etc/selinux/_policyname_ rather than /etc
>>>>>>>>>>>>> from
>>>>>>>>>>>>>>>>>> a
>>>>>>>>>>>>>>>>>> writeable filesystem?
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Paul.
>>>>>>>>>>>>>>>>>> cy
>>>>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>>>>> This message was distributed to subscribers of the selinux mailing
>>>>>>>>>>>>>>>>>> list.
>>>>>>>>>>>>>>>>>> If you no longer wish to subscribe, send mail to
>>>>>>>>>>>>>>>>>> majordomo@tycho.nsa.gov
>>>>>>>>>>>>>>>>>> with
>>>>>>>>>>>>>>>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> This is confusing to me:
>>>>>>>>>>>>>>>>> it sounds like there not trying to mount
>>>>>>>>>>>>>>>>> SELinux, but have the policy load
>>>>>>>>>>>>>>>>> in a different location other than
>>>>>>>>>>>>>>>>> /etc/selinux/*
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> regards;
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Justin P. Mattock
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On second thought  from what  it  sounds,
>>>>>>>>>>>>>>>> to have SELinux be read in another location,
>>>>>>>>>>>>>>>> you would have to locate in
>>>>>>>>>>>>>>>> libselinux the location from where the library is
>>>>>>>>>>>>>>>> told to read the the policy, and simple just change the location,
>>>>>>>>>>>>>>>> but then you might have to change the kernel, all the libraries,
>>>>>>>>>>>>>>>> all apps, etc.. that read /etc/selinux/*
>>>>>>>>>>>>>>>> maybe a simple change of /etc/selinux/config
>>>>>>>>>>>>>>>> seems simpler. rather than going through
>>>>>>>>>>>>>>>> lines of code.
>>>>>>>>>>>>>>>> Anyways,
>>>>>>>>>>>>>>>> "Merry christmas"
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> regards;
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Justin P. Mattock
>>>>>>>>>>>>>>> You are right. I would like kernel to read policy just from different
>>>>>>>>>>>>>>> location.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> So options are as folowing:
>>>>>>>>>>>>>>> 1. Change libselinux sources and sources of all related apps + kernel.
>>>>>>>>>>>>>>> 2. Try to change /etc/selinux/config.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Regarding second one - manuals on SELinux say that /etc/selinux/config
>>>>>>>>>>>>>>> contains name of policy to be loaded. And that name _policyname_ is a
>>>>>>>>>>>>>>> name of directory in /etc/selinux/_policyname_ having subdirectory
>>>>>>>>>>>>>>> policy with actual policy file.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> So, it seems only option #1 is the one to use.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Does kernel use libselinux to read policy or it reads it directly from
>>>>>>>>>>>>>>> filesystem?
>>>>>>>>>>>>>>> Any other pitfalls?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Tim
>>>>>>>>>>>>> --
>>>>>>>>>>>>> This message was distributed to subscribers of the selinux mailing list.
>>>>>>>>>>>>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.govwith
>>>>>>>>>>>>> the words "unsubscribe selinux" without quotes as the message.
>>>>>>>>>>>>>
>>>>>>>> Everything uses libselinux to find the paths to policy.  So if you
>>>>>>>> wanted to change the location of where SELinux stores the policy you
>>>>>>>> would need to modify libselinux.  In the file src/selinux_config.c
>>>>>>>> you would modify
>>>>>>>>
>>>>>>>> $ grep /etc/selinux src/selinux_config.c
>>>>>>>> #define SELINUXDIR "/etc/selinux/"
>>>>>>>>
>>>>>>>> All of the other paths are relative to this.
>>>>>>>>
>>>>>>>> I do not believe that we have hard coded this path in to any other user
>>>>>>>> tools.  If we have that is a bug.  I don't understand why you would want
>>>>>>>> to change this path, and would suggest that you use bind mounts or
>>>>>>>> remote mounts if you want these files to be located somewhere else.  You
>>>>>>>> would also need to maintain the file context if you do this.
>>>>>>>> The motivation for having alternative path for selinux policy
>>>>>>>> directory _policyname_ in /etc/selinux/_policyname_ is as following:
>>>>>>>> 1) I have legacy system that mounts root filesystem including
>>>>>>>> /etc/selinux/... in read-only mode;
>>>>>>>> 2) also the system mounts a writable filesystem;
>>>>>>>> 3) I can not change that behavior (modes of mounting, filesystem
>>>>>>>> types, sequence of mounting, number of mount points etc) of legacy
>>>>>>>> system for some reason;
>>>>>>>> 4) I can freely modify sources -> kernel, selinux-related (under above
>>>>>>>> limitations).
>>>>>>>> 5) there is a requirement to support modular policy infrastructure in
>>>>>>>> that system;
>>>>>>>> To do that I plan to make SELinux subsystem operate on policy-related
>>>>>>>> files on different location --> on writable filesystem.
>>>>>>>> Could you please clarify that?
>>>>> You would also need to maintain the file context if you do this.
>>>>>
>>>>>>>> Tim
>>>>> If you want to maintain the SELinux files on say /var/lib/selinux then
>>>>> all of the file context under /var/lib/selinux needs to match that of
>>>>> /etc/selinux
>>>>>
>>>>> So /var/lib/selinux/targeted needs to be labeled selinux_config_t.
>>>>>
>>>>> In Rawhide for example I have the following labeling for /etc/selinux
>>>>> # grep /etc/selinux /etc/selinux/targeted/contexts/files/file_contexts
>>>>> /etc/selinux(/.*)?      system_u:object_r:selinux_config_t:s0
>>>>> /etc/selinux/([^/]*/)?seusers   --      system_u:object_r:selinux_config_t:s0
>>>>> /etc/selinux/([^/]*/)?users(/.*)?       --      system_u:object_r:selinux_config_t:s0
>>>>> /etc/selinux/([^/]*/)?policy(/.*)?      system_u:object_r:semanage_store_t:s0
>>>>> /etc/selinux/([^/]*/)?setrans\.conf     --      system_u:object_r:selinux_config_t:s0
>>>>> /etc/selinux/([^/]*/)?contexts(/.*)?    system_u:object_r:default_context_t:s0
>>>>> /etc/selinux/([^/]*/)?contexts/files(/.*)?
>>>>> system_u:object_r:file_context_t:s0
>>>>> /etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK      --
>>>>> system_u:object_r:semanage_read_lock_t:s0
>>>>> /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK     --
>>>>> system_u:object_r:semanage_trans_lock_t:s0
>>>>> /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)?
>>>>> system_u:object_r:semanage_store_t:s0
>>>>>
>>>>>
>>>>> You can setup a matching labels for /var/lib/selinux with the semanage
>>>>> command.
>>>>>
>>>>> # semanage fcontext -a -t selinux_config_t '/var/lib/selinux(/.*)?'
>>>>> ...
>>>>>
>>>>>
>>>>>>
>>>>> Thank you for clarification.
>>>>> I will try to change suggested libselinux line to point into different
>>>>> location and post the results.
>>>>
>>>>> Tim
>>>>
>>>> Why not just use a bind mount on a regular mount, and then you do not
>>>> need to change the library at all?
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG v1.4.9 (GNU/Linux)
>>>> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>>>>
>>>> iEYEARECAAYFAklWO4MACgkQrlYvE4MpobPZsACg5YXltDIHUMA7001nNCdLO3C/
>>>> jBUAoNwSx/nVhejh+OdSAES9D6wJktao
>>>> =X1+b
>>>> -----END PGP SIGNATURE-----
>>>>
>>> Sure, I will try mount --bind before modification of any source.
>>>
>>> Tim
>>>
>> Results on mount --bind
>> 1) mount --bind /etc/selinnux /opt/mypolicy
>> fails since /etc/selinnux is not a device.
>> I think the reason is that /etc/selinnux is part of root filesystem,
>> not separate filesystem. So mount can not handle it.
>> 2) Straight modification of policy path in libselinux to point into
>> writable filesystem also did not helped at boot.
>> Reason: policy reading is done at very early stage - a way _before_
>> the writable filesystem is mounted.
>>
>> Any ideas for that?
>>
>> Tim
>>
>
> "mount --bind" works for me:
>
> [root@tlondon ~]# mkdir foobar
> [root@tlondon ~]# mount --bind /etc/selinux foobar
> [root@tlondon ~]# ls -l foobar
> total 16
> -rw-r--r-- 1 root root  483 2008-12-27 08:56 config
> -rw------- 1 root root  133 2008-12-10 06:22 restorecond.conf
> -rw-r--r-- 1 root root 1766 2008-12-04 13:12 semanage.conf
> drwxr-xr-x 5 root root 4096 2008-12-27 08:57 targeted
> [root@tlondon ~]#
>
> I notice that you spelled '/etc/selinux' as '/etc/selinnux'.
>
> That produces the following:
> [root@tlondon ~]# mount --bind /etc/selinnux foobar
> mount: special device /etc/selinnux does not exist
> [root@tlondon ~]#
>
> Does that help?
>
> tom
> --
> Tom London
>

Thank you very much, Tom!
I've made that typo.
After testing it works.

However...  /etc/selinux is on read-only filesystem in my system.

If I will execute:
mount --bind /etc/selinux /somefs/writable/place

I will get have content of /somefs/writable/place same as for
/etc/selinux with read-only permissions.

Then... maybe mounting should look like this:
mount --bind /somefs/writable/place /etc/selinux

Then content of /somefs/writable/place will be accessed with calls to
/etc/selinux.

So, now the plan is as following:

0) Put all policy-related files into writable filesystem (say,
/somefs/writable/place).

1) I have some "default" policy in /etc/selinux on read-only filesystem.
Fine, let the system boot with that policy first.

2) In rc.sysinit mount writable filesystem (above /somefs).

3) In rc.sysinit put that line after mounting /somefs:
mount --bind /somefs/writable/place /etc/selinux

Now the system is running with "default" policy, but /etc/selinux is
"mapped" into a place where actual policy is located. So..

4) In rc.sysinit put a line to reload the policy:
load_policy -b

Now the system will be loaded with new policy.

At least that is theory :) Any ideas on improvement?

Tim

P.S.

there are some hardcoded paths to /etc/selinux in:
libsemanage-1.10.9/src/semanage_store.c
policycoreutils-1.34.16/restorecond/restorecond.c
policycoreutils-1.34.16 - number of script files

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.