Semanage, sepolicy Python code and new feature

Leonidas S. Barbosa leosilva at linux.vnet.ibm.com
Mon Oct 7 17:59:35 UTC 2013 

On Mon, Oct 07, 2013 at 01:16:25PM -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 10/07/2013 12:39 PM, Leonidas S. Barbosa wrote:
> > On Fri, Oct 04, 2013 at 07:38:32AM -0400, Daniel J Walsh wrote: On
> > 10/02/2013 10:56 AM, Leonidas S. Barbosa wrote:
> >>>> 
> >>>> Hi,
> >>>> 
> >>>> this is my first participation here, not sure I'd introduce myself,
> >>>> but anyway, I'd like to colaborate with some pieces of code in
> >>>> SElinux, and these are my first attempt to.
> >>>> 
> >>>> 1) In semanage file (policycoreutils/semanage/semanage) I saw that
> >>>> 'import selinux' and selinux module is not used in any place. Is it
> >>>> really need?
> >>>> 
> > Nope, probably used to be used.  I will remove it.
> >>>> 2) still in semanage file I could notice that there are assignments
> >>>> to a variable called 'object', object is also a Python keyword/global
> >>>> variable used to create class. Wondering if it can not mess up the
> >>>> things in the future? My suggest is change 'object' to '__object'.
> >>>> 
> > Sure send a patch.
> >>>> 3) I also realized that almost of the code is not compliant with
> >>>> PEP08, is there any code style to follow in order to colaborate with
> >>>> these .py ?
> >>>> 
> >>>> In case of these ^ points (1) and (2 ) be accepted, I can send the 
> >>>> patches.
> >>>> 
> >>>> 
> >>>> Regarding sepolicy, I had a discussions with Daniel about a new 
> >>>> tool/feature that will be responsible to link an unix user to a
> >>>> SElinux admin user. I start to digging into sepolicy code to
> >>>> understand more about what it does, since sepolicy will be/is the
> >>>> tool responsible to create policies and new roles/admin roles. Once
> >>>> is through these admin roles, e.g. logadm_r, that a SElinux admin is
> >>>> created, I was wondering if that linker feature fits in sepolicy or
> >>>> if should be a separated tool, would like to have thoughts about
> >>>> that.
> >>>> 
> > I think we should just use sepolicy to create the policy file (te, if, fc) 
> > files and then use the Makefile and semodule to install the policy.  I
> > guess we could shell out to these commands to do the install.  But I would
> > like the admin to know what the tool is doing, so he could reedit the te
> > file if necessary.
> > 
> > 
> >> So the better is have a separate tool here to link these admin SElinux 
> >> against UNIX login.
> > 
> I guess this is something
> > sepolicy generate is the tool we use mainly to generate policy based on
> > templates.
> > 
> > One of my goals for Fedora 21 is to move the entire tool chain to Python3,
> > so we need to become more careful on the coding standards.  If you want to
> > submit patches to clean this up it would be great.
> > 
> >> Cool, by tool chain you mean policycoreutils, right? And regarding what 
> >> code work, upstream code I believe, but what about the intervel to fedora
> >> patches be applied into upstream. Just looking for the ideal scenario
> >> here, work with fedora patches applied to upstream code.
> > 
> Yes policycoreutils, but also make sure libselinux and libsemanage python3
> patches work properly.
> 
> My only problem with a new tool rather then a new sepolicy COMMAND, would be
> the proliferation of SELinux tools.
> 
Believe it can go into semanage, since deals with login and SElinux
user. My only concern is how to do this (create the SEadmin use and link
them) into semanage without recreate the wheel. 

> I would like to move to two tool suites.  semanage and sepolicy.  Rather then
> adding something brand new.

make sene to me.
> 
> 
> > 
> > 
> > 
> > 
> >>>> Thanks in advance, Leonidas.
> >>>> 
> >>>> -- selinux mailing list selinux at lists.fedoraproject.org 
> >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>>> 
> > 
> >> 
> > 
> > -- selinux mailing list selinux at lists.fedoraproject.org 
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> > 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.14 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> 
> iEYEARECAAYFAlJS7GkACgkQrlYvE4MpobNK+ACeIEwihkd1opU4NHf/1NyCwXvD
> m08An1G7Fy5gZDQ4v9whySn6XueIh1iE
> =ZBOM
> -----END PGP SIGNATURE-----
>

More information about the selinux mailing list