SELinux Module Packaging in FC5

Paul Howarth paul at city-fan.org
Wed Jun 21 07:34:42 UTC 2006 

On Tue, 2006-06-20 at 16:12 -0400, Christopher J. PeBenito wrote:
> On Fri, 2006-05-19 at 08:03 -0400, Stephen Smalley wrote:
> > On Thu, 2006-05-18 at 13:39 +0100, Paul Howarth wrote:
> > > Paul Howarth wrote:
> > > > Stephen Smalley wrote:
> > > >> On Tue, 2006-05-16 at 17:33 +0100, Paul Howarth wrote:
> > > >>> It contains a policy module, but the module only includes file contexts.
> > > >>
> > > >> If this is going to be common, then semodule_package and libsemanage
> > > >> need to allow for policy packages that have no policy module.
> [cut]
> > - Cleanly supporting policy packages that do not include a binary policy
> > module in the tools (e.g. semodule_package) and libraries (e.g.
> > libsemanage, libsepol), so that they can be used to ship just file
> > contexts or other components.  I don't know of any work in progress yet
> > on that issue, so it may make sense to bugzilla it, although it is
> > really an upstream issue, and there isn't presently an upstream bugzilla
> > for selinux (just the mailing list).
> 
> I was looking at what it would take to support a package without a
> module.  Without the binary policy, there is one problem of where the
> module name and version will come from.  We could either add this to the
> package itself (which would require a policy package format change), or
> add a section to the package for module name and version (which seems
> like a hack to me).

What I'm suggesting isn't a policy package with just file contexts, it's
one with no allow/dontaudit rules in the policy, like this:

::::::::::::::
contagged.if
::::::::::::::
# contagged.if
#
# This module has no interfaces
::::::::::::::
contagged.fc
::::::::::::::
/var/cache/contagged(/.*)?
gen_context(system_u:object_r:httpd_cache_t,s0)
::::::::::::::
contagged.te
::::::::::::::
# It's currently only necessary to set file contexts for the cache
directory
# in this policy, but doing it in a module is easier from a package
maintenance
# point of view than using semanage and chcon in scriptlets

policy_module(contagged, 0.3)

########################################
#
# Declarations
#

require {
        type httpd_cache_t;
};


########################################
#
# Local policy
#

# (none needed)

> More importantly, I believe a package without a module does not make
> sense because the types and users used in the file contexts should
> either be declared or required by the module in the package.  Otherwise
> the transaction fails late when the file contexts are validated, rather
> than early during linking.

I agree. It would make sense for compilation/linking of the module above
to fail if the "require" wasn't present. Currently that doesn't happen.

Paul.

More information about the fedora-selinux-list mailing list