From: Paul Howarth [mailto:paul@city-fan.org]
Joshua Brindle wrote:
>> From: Paul Howarth [mailto:paul@city-fan.org]
>>
>> Joshua Brindle wrote:
>>>> From: Paul Howarth [mailto:paul@city-fan.org]
>>>>
>>>> On Tue, 2006-06-20 at 16:12 -0400, Christopher J. PeBenito wrote:
>>>>> On Fri, 2006-05-19 at 08:03 -0400, Stephen Smalley wrote:
>>>>>> On Thu, 2006-05-18 at 13:39 +0100, Paul Howarth wrote:
>>>>>>> Paul Howarth wrote:
>>>>>>>> Stephen Smalley wrote:
>>>>>>>>> On Tue, 2006-05-16 at 17:33 +0100, Paul Howarth
wrote:
>>>>>>>>>> It contains a policy module, but the module
only
>>>> includes file contexts.
>>>>>>>>> If this is going to be common, then semodule_package
and
>>>>>>>>> libsemanage need to allow for policy packages that
>>>> have no policy module.
>>>>> [cut]
>>>>>> - Cleanly supporting policy packages that do not include
>> a binary
>>>>>> policy module in the tools (e.g. semodule_package) and
>>>> libraries (e.g.
>>>>>> libsemanage, libsepol), so that they can be used to ship
>>>> just file
>>>>>> contexts or other components. I don't know of any work
>>>> in progress
>>>>>> yet on that issue, so it may make sense to bugzilla it,
>>>> although it
>>>>>> is really an upstream issue, and there isn't presently an
>>>> upstream
>>>>>> bugzilla for selinux (just the mailing list).
>>>>> I was looking at what it would take to support a package
>> without a
>>>>> module. Without the binary policy, there is one problem of
>>>> where the
>>>>> module name and version will come from. We could either
>>>> add this to
>>>>> the package itself (which would require a policy package format
>>>>> change), or add a section to the package for module name
>>>> and version
>>>>> (which seems like a hack to me).
>>>> What I'm suggesting isn't a policy package with just file
>> contexts,
>>>> it's one with no allow/dontaudit rules in the policy, like this:
>>>>
>>>> ::::::::::::::
>>>> contagged.if
>>>> ::::::::::::::
>>>> # contagged.if
>>>> #
>>>> # This module has no interfaces
>>>> ::::::::::::::
>>>> contagged.fc
>>>> ::::::::::::::
>>>> /var/cache/contagged(/.*)?
>>>> gen_context(system_u:object_r:httpd_cache_t,s0)
>>>> ::::::::::::::
>>>> contagged.te
>>>> ::::::::::::::
>>>> # It's currently only necessary to set file contexts for
the cache
>>>> directory # in this policy, but doing it in a module is
>> easier from a
>>>> package maintenance # point of view than using semanage
>> and chcon in
>>>> scriptlets
>>>>
>>>> policy_module(contagged, 0.3)
>>>>
>>>> ########################################
>>>> #
>>>> # Declarations
>>>> #
>>>>
>>>> require {
>>>> type httpd_cache_t;
>>>> };
>>>>
>>>>
>>>> ########################################
>>>> #
>>>> # Local policy
>>>> #
>>>>
>>>> # (none needed)
>>>>
>>>>> More importantly, I believe a package without a module does
>>>> not make
>>>>> sense because the types and users used in the file
>> contexts should
>>>>> either be declared or required by the module in the package.
>>>>> Otherwise the transaction fails late when the file contexts are
>>>>> validated, rather than early during linking.
>>>> I agree. It would make sense for compilation/linking of
the module
>>>> above to fail if the "require" wasn't present.
>>>> Currently that doesn't happen.
>>>>
>>>> Paul.
>>>>
>>> Try putting a line with just ; where the rules would go
and see if
>>> that compiles.
>> What I'm saying is that the module compiles just fine without the
>> "require" section, and I think it might be better if it
didn't (or at
>> least emitted a warning) since the .fc part references
httpd_cache_t.
>>
>> Paul.
>>
>
> Not necessarilly. For example, a policy that declares 2
roles and does
> a role allow between them, while not useful, is valid. No
requirements
> would be necessary then.
In the example I gave earlier, file context types were used
in the .fc file; I just think it would make sense for these
to be "required" in the same way that they would be if they
were used in the .te file.
We're getting away from the original issue here though, which
was for clean support of policy module packages containing
file contexts and no rules, to avoid issues like this:
http://www.redhat.com/archives/fedora-selinux-list/2006-May/ms
g00104.html
It would be non-trivial to change the linker to enforce requires in file
contexts but I agree that it should at least be convention.
Back to the point, my email a few times back suggested putting a line
with just ; where the rules would be in order to get a module without
rules, have you tried that?