From: Paul Howarth [mailto:paul@city-fan.org]
On Tue, 2006-06-20 at 16:12 -0400, Christopher J. PeBenito wrote:
On Fri, 2006-05-19 at 08:03 -0400, Stephen Smalley wrote:
On Thu, 2006-05-18 at 13:39 +0100, Paul Howarth wrote:
Paul Howarth wrote:
Stephen Smalley wrote:
On Tue, 2006-05-16 at 17:33 +0100, Paul Howarth wrote: > It contains a policy module, but the module only
includes file contexts.
If this is going to be common, then semodule_package and libsemanage need to allow for policy packages that
have no policy module.
[cut]
- Cleanly supporting policy packages that do not include a binary
policy module in the tools (e.g. semodule_package) and
libraries (e.g.
libsemanage, libsepol), so that they can be used to ship
just file
contexts or other components. I don't know of any work
in progress
yet on that issue, so it may make sense to bugzilla it,
although it
is really an upstream issue, and there isn't presently an
upstream
bugzilla for selinux (just the mailing list).
I was looking at what it would take to support a package without a module. Without the binary policy, there is one problem of
where the
module name and version will come from. We could either
add this to
the package itself (which would require a policy package format change), or add a section to the package for module name
and version
(which seems like a hack to me).
What I'm suggesting isn't a policy package with just file contexts, it's one with no allow/dontaudit rules in the policy, like this:
:::::::::::::: contagged.if :::::::::::::: # contagged.if # # This module has no interfaces :::::::::::::: contagged.fc :::::::::::::: /var/cache/contagged(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) :::::::::::::: contagged.te :::::::::::::: # It's currently only necessary to set file contexts for the cache directory # in this policy, but doing it in a module is easier from a package maintenance # point of view than using semanage and chcon in scriptlets
policy_module(contagged, 0.3)
######################################## # # Declarations #
require { type httpd_cache_t; };
######################################## # # Local policy #
# (none needed)
More importantly, I believe a package without a module does
not make
sense because the types and users used in the file contexts should either be declared or required by the module in the package. Otherwise the transaction fails late when the file contexts are validated, rather than early during linking.
I agree. It would make sense for compilation/linking of the module above to fail if the "require" wasn't present. Currently that doesn't happen.
Paul.
Try putting a line with just ; where the rules would go and see if that compiles.
Joshua Brindle wrote:
From: Paul Howarth [mailto:paul@city-fan.org]
On Tue, 2006-06-20 at 16:12 -0400, Christopher J. PeBenito wrote:
On Fri, 2006-05-19 at 08:03 -0400, Stephen Smalley wrote:
On Thu, 2006-05-18 at 13:39 +0100, Paul Howarth wrote:
Paul Howarth wrote:
Stephen Smalley wrote: > On Tue, 2006-05-16 at 17:33 +0100, Paul Howarth wrote: >> It contains a policy module, but the module only
includes file contexts.
> If this is going to be common, then semodule_package and > libsemanage need to allow for policy packages that
have no policy module.
[cut]
- Cleanly supporting policy packages that do not include a binary
policy module in the tools (e.g. semodule_package) and
libraries (e.g.
libsemanage, libsepol), so that they can be used to ship
just file
contexts or other components. I don't know of any work
in progress
yet on that issue, so it may make sense to bugzilla it,
although it
is really an upstream issue, and there isn't presently an
upstream
bugzilla for selinux (just the mailing list).
I was looking at what it would take to support a package without a module. Without the binary policy, there is one problem of
where the
module name and version will come from. We could either
add this to
the package itself (which would require a policy package format change), or add a section to the package for module name
and version
(which seems like a hack to me).
What I'm suggesting isn't a policy package with just file contexts, it's one with no allow/dontaudit rules in the policy, like this:
:::::::::::::: contagged.if :::::::::::::: # contagged.if # # This module has no interfaces :::::::::::::: contagged.fc :::::::::::::: /var/cache/contagged(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) :::::::::::::: contagged.te :::::::::::::: # It's currently only necessary to set file contexts for the cache directory # in this policy, but doing it in a module is easier from a package maintenance # point of view than using semanage and chcon in scriptlets
policy_module(contagged, 0.3)
######################################## # # Declarations #
require { type httpd_cache_t; };
######################################## # # Local policy #
# (none needed)
More importantly, I believe a package without a module does
not make
sense because the types and users used in the file contexts should either be declared or required by the module in the package. Otherwise the transaction fails late when the file contexts are validated, rather than early during linking.
I agree. It would make sense for compilation/linking of the module above to fail if the "require" wasn't present. Currently that doesn't happen.
Paul.
Try putting a line with just ; where the rules would go and see if that compiles.
What I'm saying is that the module compiles just fine without the "require" section, and I think it might be better if it didn't (or at least emitted a warning) since the .fc part references httpd_cache_t.
Paul.
selinux@lists.fedoraproject.org