From: Paul Howarth [mailto:paul@city-fan.org]
Joshua Brindle wrote:
From: Paul Howarth [mailto:paul@city-fan.org]
Joshua Brindle wrote:
From: Paul Howarth [mailto:paul@city-fan.org]
On Tue, 2006-06-20 at 16:12 -0400, Christopher J. PeBenito wrote:
On Fri, 2006-05-19 at 08:03 -0400, Stephen Smalley wrote: > On Thu, 2006-05-18 at 13:39 +0100, Paul Howarth wrote: >> Paul Howarth wrote: >>> Stephen Smalley wrote: >>>> On Tue, 2006-05-16 at 17:33 +0100, Paul Howarth wrote: >>>>> It contains a policy module, but the module only
includes file contexts.
>>>> If this is going to be common, then semodule_package and >>>> libsemanage need to allow for policy packages that
have no policy module.
[cut] > - Cleanly supporting policy packages that do not include
a binary
> policy module in the tools (e.g. semodule_package) and
libraries (e.g.
> libsemanage, libsepol), so that they can be used to ship
just file
> contexts or other components. I don't know of any work
in progress
> yet on that issue, so it may make sense to bugzilla it,
although it
> is really an upstream issue, and there isn't presently an
upstream
> bugzilla for selinux (just the mailing list). I was looking at what it would take to support a package
without a
module. Without the binary policy, there is one problem of
where the
module name and version will come from. We could either
add this to
the package itself (which would require a policy package format change), or add a section to the package for module name
and version
(which seems like a hack to me).
What I'm suggesting isn't a policy package with just file
contexts,
it's one with no allow/dontaudit rules in the policy, like this:
:::::::::::::: contagged.if :::::::::::::: # contagged.if # # This module has no interfaces :::::::::::::: contagged.fc :::::::::::::: /var/cache/contagged(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) :::::::::::::: contagged.te :::::::::::::: # It's currently only necessary to set file contexts for
the cache
directory # in this policy, but doing it in a module is
easier from a
package maintenance # point of view than using semanage
and chcon in
scriptlets
policy_module(contagged, 0.3)
######################################## # # Declarations #
require { type httpd_cache_t; };
######################################## # # Local policy #
# (none needed)
More importantly, I believe a package without a module does
not make
sense because the types and users used in the file
contexts should
either be declared or required by the module in the package. Otherwise the transaction fails late when the file contexts are validated, rather than early during linking.
I agree. It would make sense for compilation/linking of
the module
above to fail if the "require" wasn't present. Currently that doesn't happen.
Paul.
Try putting a line with just ; where the rules would go
and see if
that compiles.
What I'm saying is that the module compiles just fine without the "require" section, and I think it might be better if it
didn't (or at
least emitted a warning) since the .fc part references
httpd_cache_t.
Paul.
Not necessarilly. For example, a policy that declares 2
roles and does
a role allow between them, while not useful, is valid. No
requirements
would be necessary then.
In the example I gave earlier, file context types were used in the .fc file; I just think it would make sense for these to be "required" in the same way that they would be if they were used in the .te file.
We're getting away from the original issue here though, which was for clean support of policy module packages containing file contexts and no rules, to avoid issues like this:
http://www.redhat.com/archives/fedora-selinux-list/2006-May/ms g00104.html
It would be non-trivial to change the linker to enforce requires in file contexts but I agree that it should at least be convention.
Back to the point, my email a few times back suggested putting a line with just ; where the rules would be in order to get a module without rules, have you tried that?
Joshua Brindle wrote:
From: Paul Howarth [mailto:paul@city-fan.org]
Joshua Brindle wrote:
From: Paul Howarth [mailto:paul@city-fan.org]
Joshua Brindle wrote:
From: Paul Howarth [mailto:paul@city-fan.org]
On Tue, 2006-06-20 at 16:12 -0400, Christopher J. PeBenito wrote: > On Fri, 2006-05-19 at 08:03 -0400, Stephen Smalley wrote: >> On Thu, 2006-05-18 at 13:39 +0100, Paul Howarth wrote: >>> Paul Howarth wrote: >>>> Stephen Smalley wrote: >>>>> On Tue, 2006-05-16 at 17:33 +0100, Paul Howarth wrote: >>>>>> It contains a policy module, but the module only includes file contexts. >>>>> If this is going to be common, then semodule_package and >>>>> libsemanage need to allow for policy packages that have no policy module. > [cut] >> - Cleanly supporting policy packages that do not include
a binary
>> policy module in the tools (e.g. semodule_package) and libraries (e.g. >> libsemanage, libsepol), so that they can be used to ship just file >> contexts or other components. I don't know of any work in progress >> yet on that issue, so it may make sense to bugzilla it, although it >> is really an upstream issue, and there isn't presently an upstream >> bugzilla for selinux (just the mailing list). > I was looking at what it would take to support a package
without a
> module. Without the binary policy, there is one problem of where the > module name and version will come from. We could either add this to > the package itself (which would require a policy package format > change), or add a section to the package for module name and version > (which seems like a hack to me). What I'm suggesting isn't a policy package with just file
contexts,
it's one with no allow/dontaudit rules in the policy, like this:
:::::::::::::: contagged.if :::::::::::::: # contagged.if # # This module has no interfaces :::::::::::::: contagged.fc :::::::::::::: /var/cache/contagged(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) :::::::::::::: contagged.te :::::::::::::: # It's currently only necessary to set file contexts for
the cache
directory # in this policy, but doing it in a module is
easier from a
package maintenance # point of view than using semanage
and chcon in
scriptlets
policy_module(contagged, 0.3)
######################################## # # Declarations #
require { type httpd_cache_t; };
######################################## # # Local policy #
# (none needed)
> More importantly, I believe a package without a module does not make > sense because the types and users used in the file
contexts should
> either be declared or required by the module in the package. > Otherwise the transaction fails late when the file contexts are > validated, rather than early during linking. I agree. It would make sense for compilation/linking of
the module
above to fail if the "require" wasn't present. Currently that doesn't happen.
Paul.
Try putting a line with just ; where the rules would go
and see if
that compiles.
What I'm saying is that the module compiles just fine without the "require" section, and I think it might be better if it
didn't (or at
least emitted a warning) since the .fc part references
httpd_cache_t.
Paul.
Not necessarilly. For example, a policy that declares 2
roles and does
a role allow between them, while not useful, is valid. No
requirements
would be necessary then.
In the example I gave earlier, file context types were used in the .fc file; I just think it would make sense for these to be "required" in the same way that they would be if they were used in the .te file.
We're getting away from the original issue here though, which was for clean support of policy module packages containing file contexts and no rules, to avoid issues like this:
http://www.redhat.com/archives/fedora-selinux-list/2006-May/ms g00104.html
It would be non-trivial to change the linker to enforce requires in file contexts but I agree that it should at least be convention.
Back to the point, my email a few times back suggested putting a line with just ; where the rules would be in order to get a module without rules, have you tried that?
Is this with or without the requires clause?
With the requires clause, the semicolon doesn't seem to make any difference.
Paul.
selinux@lists.fedoraproject.org