mirror of
https://github.com/topjohnwu/selinux.git
synced 2024-12-14 06:58:44 +00:00
dc3d9c6d71
As reported in #109, semodule -p /path/to/policyroot -s minimum -n -B tries to use /etc/selinux/targeted/booleans.subs_dist. This is because it invokes the libselinux selinux_boolean_sub() interface, which uses the active/installed policy files rather than the libsemanage ones. Switch the selinux policy root around the selinux_boolean_sub() call to incorporate the semanage root as a prefix and to use the specified policy store as a suffix so that the correct booleans.subs_dist file (if any) is used. The underlying bug is that booleans.subs_dist is not itself managed via libsemanage. If it was managed and therefore lived within the policy store, then libsemanage could access the appropriate booleans.subs_dist file without using the libselinux interface at all, and thus would not need to modify the selinux policy root. Moving booleans.subs_dist to a managed file is deferred to a future change. Test: dnf install selinux-policy-minimum selinux-policy-targeted cd / && tar cf - etc/selinux var/lib/selinux | (cd ~/policy-root; tar xvpf -) strace semodule -p ~/policy-root -s minimum -n -B Before: openat(AT_FDCWD, "/etc/selinux/targeted/booleans.subs_dist", O_RDONLY|O_CLOEXEC) = 5 After: openat(AT_FDCWD, "/home/sds/policy-root/etc/selinux/minimum/booleans.subs_dist", O_RDONLY|O_CLOEXEC) = 5 Fixes https://github.com/SELinuxProject/selinux/issues/109 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> |
||
|---|---|---|
| .. | ||
| example | ||
| include | ||
| man | ||
| src | ||
| tests | ||
| utils | ||
| .gitignore | ||
| COPYING | ||
| Makefile | ||
| VERSION | ||