Ensure correct monolithic binary policy is loaded

When building a monolithic policy with 'make load', the selinux_config(5) file 'SELINUXTYPE' entry determines what policy is loaded as load_policy(8) does not take a path value (it always loads the active system policy as defined by /etc/selinux/config). Currently it is possible to load the wrong binary policy, for example if the Reference Policy source is located at: /etc/selinux/refpolicy and the /etc/selinux/config file has the following entry: SELINUXTYPE=targeted Then the /etc/selinux/targeted/policy/policy.<ver> is loaded when 'make load' is executed. Resolve this by using selinux_binary_policy_path(3) to determine the current configured policy name and its location. Another example is that if the Reference Policy source is located at: /tmp/custom-rootfs/etc/selinux/refpolicy and the /etc/selinux/config file has the following entry: SELINUXTYPE=refpolicy Then the /etc/selinux/refpolicy/policy/policy.<ver> is loaded when 'make DESTDIR=/tmp/custom-rootfs load' is executed (not the /tmp/custom-rootfs/etc/selinux/refpolicy/policy/policy.<ver> that the developer thought would be loaded). Resolve this by checking if DESTDIR has been set. Remove the '@touch $(tmpdir)/load' line as the file is never referenced. Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
2020-12-21 12:22:13 +00:00 · 2020-12-21 12:22:13 +00:00 · 037ac427f8
parent 26ed37c991
commit 037ac427f8
3 changed files with 27 additions and 1 deletions
--- a/1
+++ b/1
@ -97,6 +97,7 @@ genxml := $(PYTHON) $(support)/segenxml.py
 gendoc := $(PYTHON) $(support)/sedoctool.py
 genperm := $(PYTHON) $(support)/genclassperms.py
 policyvers := $(PYTHON) $(support)/policyvers.py
+binary_policy_path := $(PYTHON) $(support)/selinux_binary_policy_path.py
 fcsort := $(PYTHON) $(support)/fc_sort.py
 setbools := $(AWK) -f $(support)/set_bools_tuns.awk
 get_type_attr_decl := $(SED) -r -f $(support)/get_type_attr_decl.sed
--- a/Rules.monolithic
+++ b/Rules.monolithic
@ -13,6 +13,12 @@ ifeq "$(kv)" ""
 	kv := $(pv)
 endif

+# load_policy(8) loads policy from /etc/selinux/<SELINUXTYPE>/policy/policy.$(pv)
+# It does this by reading the /etc/selinux/config file SELINUXTYPE entry to
+# form the full path. $(polbinpath) will contain this evaluated path for use as
+# a validation check.
+polbinpath := $(shell $(binary_policy_path))
+
 policy_conf = $(builddir)policy.conf
 fc = $(builddir)file_contexts
 polver = $(builddir)policy.$(pv)
@ -91,9 +97,16 @@ endif
 # Load the binary policy
 #
 reload $(tmpdir)/load: $(loadpath) $(fcpath) $(appfiles)
+ifneq ($(DESTDIR),)
+	$(error Cannot load policy as '$$DESTDIR' is set to $(DESTDIR), \
+		creating an invalid policy load path)
+endif
+ifneq ($(polbinpath).$(pv),$(loadpath))
+	$(error Cannot load policy as invalid policy path: $(polbinpath).$(pv) - \
+		Check $(topdir)/config file entry is: "SELINUXTYPE=$(NAME)")
+endif
 	@echo "Loading $(NAME) $(loadpath)"
 	$(verbose) $(LOADPOLICY) -q $(loadpath)
-	@touch $(tmpdir)/load

 ########################################
 #
--- a/support/selinux_binary_policy_path.py
+++ b/support/selinux_binary_policy_path.py
@ -0,0 +1,12 @@
+#!/usr/bin/env python3
+
+try:
+    import warnings
+    with warnings.catch_warnings():
+        warnings.filterwarnings("ignore", category=PendingDeprecationWarning)
+        import selinux
+
+    if selinux.is_selinux_enabled():
+        print(selinux.selinux_binary_policy_path())
+except ImportError:
+    exit(0)