Joshua Brindle wrote:
> From: Paul Howarth [mailto:paul@city-fan.org]
>
> On Tue, 2006-06-20 at 16:12 -0400, Christopher J. PeBenito wrote:
>> On Fri, 2006-05-19 at 08:03 -0400, Stephen Smalley wrote:
>>> On Thu, 2006-05-18 at 13:39 +0100, Paul Howarth wrote:
>>>> Paul Howarth wrote:
>>>>> Stephen Smalley wrote:
>>>>>> On Tue, 2006-05-16 at 17:33 +0100, Paul Howarth wrote:
>>>>>>> It contains a policy module, but the module only
> includes file contexts.
>>>>>> If this is going to be common, then semodule_package and
>>>>>> libsemanage need to allow for policy packages that
> have no policy module.
>> [cut]
>>> - Cleanly supporting policy packages that do not include a binary
>>> policy module in the tools (e.g. semodule_package) and
> libraries (e.g.
>>> libsemanage, libsepol), so that they can be used to ship
> just file
>>> contexts or other components. I don't know of any work
> in progress
>>> yet on that issue, so it may make sense to bugzilla it,
> although it
>>> is really an upstream issue, and there isn't presently an
> upstream
>>> bugzilla for selinux (just the mailing list).
>> I was looking at what it would take to support a package without a
>> module. Without the binary policy, there is one problem of
> where the
>> module name and version will come from. We could either
> add this to
>> the package itself (which would require a policy package format
>> change), or add a section to the package for module name
> and version
>> (which seems like a hack to me).
> What I'm suggesting isn't a policy package with just file
> contexts, it's one with no allow/dontaudit rules in the
> policy, like this:
>
> ::::::::::::::
> contagged.if
> ::::::::::::::
> # contagged.if
> #
> # This module has no interfaces
> ::::::::::::::
> contagged.fc
> ::::::::::::::
> /var/cache/contagged(/.*)?
> gen_context(system_u:object_r:httpd_cache_t,s0)
> ::::::::::::::
> contagged.te
> ::::::::::::::
> # It's currently only necessary to set file contexts for the
> cache directory # in this policy, but doing it in a module is
> easier from a package maintenance # point of view than using
> semanage and chcon in scriptlets
>
> policy_module(contagged, 0.3)
>
> ########################################
> #
> # Declarations
> #
>
> require {
> type httpd_cache_t;
> };
>
>
> ########################################
> #
> # Local policy
> #
>
> # (none needed)
>
>> More importantly, I believe a package without a module does
> not make
>> sense because the types and users used in the file contexts should
>> either be declared or required by the module in the package.
>> Otherwise the transaction fails late when the file contexts are
>> validated, rather than early during linking.
> I agree. It would make sense for compilation/linking of the
> module above to fail if the "require" wasn't present.
> Currently that doesn't happen.
>
> Paul.
>
Try putting a line with just ; where the rules would go and see if that
compiles.
What I'm saying is that the module compiles just fine without the
"require" section, and I think it might be better if it didn't (or at
least emitted a warning) since the .fc part references httpd_cache_t.
Paul.