From: Paul Howarth [mailto:paul@city-fan.org]
On Tue, 2006-06-20 at 16:12 -0400, Christopher J. PeBenito wrote:
> On Fri, 2006-05-19 at 08:03 -0400, Stephen Smalley wrote:
> > On Thu, 2006-05-18 at 13:39 +0100, Paul Howarth wrote:
> > > Paul Howarth wrote:
> > > > Stephen Smalley wrote:
> > > >> On Tue, 2006-05-16 at 17:33 +0100, Paul Howarth wrote:
> > > >>> It contains a policy module, but the module only
includes file contexts.
> > > >>
> > > >> If this is going to be common, then semodule_package and
> > > >> libsemanage need to allow for policy packages that
have no policy module.
> [cut]
> > - Cleanly supporting policy packages that do not include a binary
> > policy module in the tools (e.g. semodule_package) and
libraries (e.g.
> > libsemanage, libsepol), so that they can be used to ship
just file
> > contexts or other components. I don't know of any work
in progress
> > yet on that issue, so it may make sense to bugzilla it,
although it
> > is really an upstream issue, and there isn't presently an
upstream
> > bugzilla for selinux (just the mailing list).
>
> I was looking at what it would take to support a package without a
> module. Without the binary policy, there is one problem of
where the
> module name and version will come from. We could either
add this to
> the package itself (which would require a policy package format
> change), or add a section to the package for module name
and version
> (which seems like a hack to me).
What I'm suggesting isn't a policy package with just file
contexts, it's one with no allow/dontaudit rules in the
policy, like this:
::::::::::::::
contagged.if
::::::::::::::
# contagged.if
#
# This module has no interfaces
::::::::::::::
contagged.fc
::::::::::::::
/var/cache/contagged(/.*)?
gen_context(system_u:object_r:httpd_cache_t,s0)
::::::::::::::
contagged.te
::::::::::::::
# It's currently only necessary to set file contexts for the
cache directory # in this policy, but doing it in a module is
easier from a package maintenance # point of view than using
semanage and chcon in scriptlets
policy_module(contagged, 0.3)
########################################
#
# Declarations
#
require {
type httpd_cache_t;
};
########################################
#
# Local policy
#
# (none needed)
> More importantly, I believe a package without a module does
not make
> sense because the types and users used in the file contexts should
> either be declared or required by the module in the package.
> Otherwise the transaction fails late when the file contexts are
> validated, rather than early during linking.
I agree. It would make sense for compilation/linking of the
module above to fail if the "require" wasn't present.
Currently that doesn't happen.
Paul.
Try putting a line with just ; where the rules would go and see if that
compiles.