libselinux: Support SELinux policy tree at /usr/etc/selinux. (microsoft#14750)

pebenito · web-flow · commit 0897a520ef2d · 2025-10-30T16:17:48.000-04:00
Signed-off-by: Chris PeBenito &lt;chpebeni@linux.microsoft.com&gt;
diff --git a/SPECS/libselinux/libselinux-usr-etc-selinux-path.patch b/SPECS/libselinux/libselinux-usr-etc-selinux-path.patch
@@ -0,0 +1,85 @@
+diff --git a/libselinux/src/init.c b/libselinux/src/init.c
+index 542c979b..acba93f6 100644
+--- a/libselinux/src/init.c
++++ b/libselinux/src/init.c
+@@ -149,7 +149,7 @@ static void init_lib(void)
+ 	selinux_page_size = sysconf(_SC_PAGE_SIZE);
+ 	init_selinuxmnt();
+ #ifndef ANDROID
+-	has_selinux_config = (access(SELINUXCONFIG, F_OK) == 0);
++	has_selinux_config = (access(selinux_config_path(), F_OK) == 0);
+ #endif
+ }
+ 
+diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c
+index 1d8cfb71..79deb6fc 100644
+--- a/libselinux/src/selinux_config.c
++++ b/libselinux/src/selinux_config.c
+@@ -89,7 +89,7 @@ static const uint16_t file_path_suffixes_idx[NEL] = {
+ int selinux_getenforcemode(int *enforce)
+ {
+ 	int ret = -1;
+-	FILE *cfg = fopen(SELINUXCONFIG, "re");
++	FILE *cfg = fopen(selinux_config_path(), "re");
+ 	if (cfg) {
+ 		char *buf;
+ 		char *tag;
+@@ -153,7 +153,6 @@ static int setpolicytype(const char *type)
+ }
+ 
+ static char *selinux_policyroot = NULL;
+-static const char *selinux_rootpath = SELINUXDIR;
+ 
+ static void init_selinux_config(void)
+ {
+@@ -166,7 +165,7 @@ static void init_selinux_config(void)
+ 	if (selinux_policyroot)
+ 		return;
+ 
+-	fp = fopen(SELINUXCONFIG, "re");
++	fp = fopen(selinux_config_path(), "re");
+ 	if (fp) {
+ 		__fsetlocking(fp, FSETLOCKING_BYCALLER);
+ 		while ((len = getline(&line_buf, &line_len, fp)) > 0) {
+@@ -228,7 +227,7 @@ static void init_selinux_config(void)
+ 	if (!selinux_policytype && setpolicytype(SELINUXDEFAULT) != 0)
+ 		return;
+ 
+-	if (asprintf(&selinux_policyroot, "%s%s", SELINUXDIR, selinux_policytype) == -1)
++	if (asprintf(&selinux_policyroot, "%s%s", selinux_path(), selinux_policytype) == -1)
+ 		return;
+ 
+ 	for (i = 0; i < NEL; i++)
+@@ -312,7 +311,13 @@ int selinux_set_policy_root(const char *path)
+ 
+ const char *selinux_path(void)
+ {
+-	return selinux_rootpath;
++	return access(SELINUXDIR_RO, F_OK) == 0 ? SELINUXDIR_RO : SELINUXDIR_RW;
++}
++
++
++const char *selinux_config_path(void)
++{
++	return access(SELINUXDIR_RO, F_OK) == 0 ? SELINUXCONFIG_RO : SELINUXCONFIG_RW;
+ }
+ 
+ 
+diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
+index af69ff04..0ff78e04 100644
+--- a/libselinux/src/selinux_internal.h
++++ b/libselinux/src/selinux_internal.h
+@@ -89,8 +89,11 @@ extern int selinux_page_size ;
+ 	pthread_cond_wait					\
+ )
+ 
+-#define SELINUXDIR "/etc/selinux/"
+-#define SELINUXCONFIG SELINUXDIR "config"
++#define SELINUXDIR_RW "/etc/selinux/"
++#define SELINUXDIR_RO "/usr/etc/selinux/"
++#define SELINUXCONFIG_RO SELINUXDIR_RO "config"
++#define SELINUXCONFIG_RW SELINUXDIR_RW "config"
++const char *selinux_config_path(void);
+ 
+ extern int has_selinux_config ;
+ 
diff --git a/SPECS/libselinux/libselinux.spec b/SPECS/libselinux/libselinux.spec
@@ -1,13 +1,14 @@
 Summary:        SELinux library and simple utilities
 Name:           libselinux
 Version:        3.6
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        Public Domain
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Group:          System Environment/Libraries
 URL:            https://github.com/SELinuxProject/selinux/wiki
 Source0:        https://github.com/SELinuxProject/selinux/releases/download/%{version}/%{name}-%{version}.tar.gz
+Patch1:         libselinux-usr-etc-selinux-path.patch
 BuildRequires:  libsepol-devel
 BuildRequires:  pcre2-devel
 BuildRequires:  swig
@@ -64,7 +65,7 @@ The libselinux-python package contains the python3 bindings for developing
 SELinux applications.
 
 %prep
-%autosetup
+%autosetup -p2
 
 %build
 export USE_PCRE2="y"
@@ -109,6 +110,10 @@ echo "d /run/setrans 0755 root root" > %{buildroot}/%{_libdir}/tmpfiles.d/libsel
 %{python3_sitelib}/*
 
 %changelog
+* Tue Sep 30 2025 Chris PeBenito <chpebeni@microsoft.com> - 3.6-4
+- Support SELinux policy tree at /usr/etc/selinux.  This supports a
+  dm-verity protected policy in a read-only /usr.
+
 * Wed Apr 03 2024 Betty Lakes <bettylakes@microsoft.com> - 3.6-3
 - Move to pcre2
 
diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@@ -250,7 +250,7 @@ python3-libs-3.12.9-5.azl3.aarch64.rpm
 python3-setuptools-69.0.3-5.azl3.noarch.rpm
 python3-pygments-2.7.4-2.azl3.noarch.rpm
 which-2.21-8.azl3.aarch64.rpm
-libselinux-3.6-3.azl3.aarch64.rpm
+libselinux-3.6-4.azl3.aarch64.rpm
 slang-2.3.3-1.azl3.aarch64.rpm
 newt-0.52.23-1.azl3.aarch64.rpm
 newt-lang-0.52.23-1.azl3.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@@ -250,7 +250,7 @@ python3-libs-3.12.9-5.azl3.x86_64.rpm
 python3-setuptools-69.0.3-5.azl3.noarch.rpm
 python3-pygments-2.7.4-2.azl3.noarch.rpm
 which-2.21-8.azl3.x86_64.rpm
-libselinux-3.6-3.azl3.x86_64.rpm
+libselinux-3.6-4.azl3.x86_64.rpm
 slang-2.3.3-1.azl3.x86_64.rpm
 newt-0.52.23-1.azl3.x86_64.rpm
 newt-lang-0.52.23-1.azl3.x86_64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@@ -217,11 +217,11 @@ libpipeline-debuginfo-1.5.7-1.azl3.aarch64.rpm
 libpipeline-devel-1.5.7-1.azl3.aarch64.rpm
 libpkgconf-2.0.2-1.azl3.aarch64.rpm
 libpkgconf-devel-2.0.2-1.azl3.aarch64.rpm
-libselinux-3.6-3.azl3.aarch64.rpm
-libselinux-debuginfo-3.6-3.azl3.aarch64.rpm
-libselinux-devel-3.6-3.azl3.aarch64.rpm
-libselinux-python3-3.6-3.azl3.aarch64.rpm
-libselinux-utils-3.6-3.azl3.aarch64.rpm
+libselinux-3.6-4.azl3.aarch64.rpm
+libselinux-debuginfo-3.6-4.azl3.aarch64.rpm
+libselinux-devel-3.6-4.azl3.aarch64.rpm
+libselinux-python3-3.6-4.azl3.aarch64.rpm
+libselinux-utils-3.6-4.azl3.aarch64.rpm
 libsepol-3.6-2.azl3.aarch64.rpm
 libsepol-debuginfo-3.6-2.azl3.aarch64.rpm
 libsepol-devel-3.6-2.azl3.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -225,11 +225,11 @@ libpipeline-debuginfo-1.5.7-1.azl3.x86_64.rpm
 libpipeline-devel-1.5.7-1.azl3.x86_64.rpm
 libpkgconf-2.0.2-1.azl3.x86_64.rpm
 libpkgconf-devel-2.0.2-1.azl3.x86_64.rpm
-libselinux-3.6-3.azl3.x86_64.rpm
-libselinux-debuginfo-3.6-3.azl3.x86_64.rpm
-libselinux-devel-3.6-3.azl3.x86_64.rpm
-libselinux-python3-3.6-3.azl3.x86_64.rpm
-libselinux-utils-3.6-3.azl3.x86_64.rpm
+libselinux-3.6-4.azl3.x86_64.rpm
+libselinux-debuginfo-3.6-4.azl3.x86_64.rpm
+libselinux-devel-3.6-4.azl3.x86_64.rpm
+libselinux-python3-3.6-4.azl3.x86_64.rpm
+libselinux-utils-3.6-4.azl3.x86_64.rpm
 libsepol-3.6-2.azl3.x86_64.rpm
 libsepol-debuginfo-3.6-2.azl3.x86_64.rpm
 libsepol-devel-3.6-2.azl3.x86_64.rpm
