SELinux Module Packaging in FC5

Wed Jun 21 14:39:58 UTC 2006

> From: Paul Howarth [mailto:paul at city-fan.org] 
> 
> Joshua Brindle wrote:
> >> From: Paul Howarth [mailto:paul at city-fan.org]
> >>
> >> Joshua Brindle wrote:
> >>>> From: Paul Howarth [mailto:paul at city-fan.org]
> >>>>
> >>>> On Tue, 2006-06-20 at 16:12 -0400, Christopher J. PeBenito wrote:
> >>>>> On Fri, 2006-05-19 at 08:03 -0400, Stephen Smalley wrote:
> >>>>>> On Thu, 2006-05-18 at 13:39 +0100, Paul Howarth wrote:
> >>>>>>> Paul Howarth wrote:
> >>>>>>>> Stephen Smalley wrote:
> >>>>>>>>> On Tue, 2006-05-16 at 17:33 +0100, Paul Howarth wrote:
> >>>>>>>>>> It contains a policy module, but the module only
> >>>> includes file contexts.
> >>>>>>>>> If this is going to be common, then semodule_package and 
> >>>>>>>>> libsemanage need to allow for policy packages that
> >>>> have no policy module.
> >>>>> [cut]
> >>>>>> - Cleanly supporting policy packages that do not include
> >> a binary
> >>>>>> policy module in the tools (e.g. semodule_package) and
> >>>> libraries (e.g.
> >>>>>> libsemanage, libsepol), so that they can be used to ship
> >>>> just file
> >>>>>> contexts or other components.  I don't know of any work
> >>>> in progress
> >>>>>> yet on that issue, so it may make sense to bugzilla it,
> >>>> although it
> >>>>>> is really an upstream issue, and there isn't presently an
> >>>> upstream
> >>>>>> bugzilla for selinux (just the mailing list).
> >>>>> I was looking at what it would take to support a package
> >> without a
> >>>>> module.  Without the binary policy, there is one problem of
> >>>> where the
> >>>>> module name and version will come from.  We could either
> >>>> add this to
> >>>>> the package itself (which would require a policy package format 
> >>>>> change), or add a section to the package for module name
> >>>> and version
> >>>>> (which seems like a hack to me).
> >>>> What I'm suggesting isn't a policy package with just file
> >> contexts,
> >>>> it's one with no allow/dontaudit rules in the policy, like this:
> >>>>
> >>>> ::::::::::::::
> >>>> contagged.if
> >>>> ::::::::::::::
> >>>> # contagged.if
> >>>> #
> >>>> # This module has no interfaces
> >>>> ::::::::::::::
> >>>> contagged.fc
> >>>> ::::::::::::::
> >>>> /var/cache/contagged(/.*)?
> >>>> gen_context(system_u:object_r:httpd_cache_t,s0)
> >>>> ::::::::::::::
> >>>> contagged.te
> >>>> ::::::::::::::
> >>>> # It's currently only necessary to set file contexts for 
> the cache 
> >>>> directory # in this policy, but doing it in a module is
> >> easier from a
> >>>> package maintenance # point of view than using semanage
> >> and chcon in
> >>>> scriptlets
> >>>>
> >>>> policy_module(contagged, 0.3)
> >>>>
> >>>> ########################################
> >>>> #
> >>>> # Declarations
> >>>> #
> >>>>
> >>>> require {
> >>>>         type httpd_cache_t;
> >>>> };
> >>>>
> >>>>
> >>>> ########################################
> >>>> #
> >>>> # Local policy
> >>>> #
> >>>>
> >>>> # (none needed)
> >>>>
> >>>>> More importantly, I believe a package without a module does
> >>>> not make
> >>>>> sense because the types and users used in the file
> >> contexts should
> >>>>> either be declared or required by the module in the package.
> >>>>> Otherwise the transaction fails late when the file contexts are 
> >>>>> validated, rather than early during linking.
> >>>> I agree. It would make sense for compilation/linking of 
> the module 
> >>>> above to fail if the "require" wasn't present.
> >>>> Currently that doesn't happen.
> >>>>
> >>>> Paul.
> >>>>
> >>> Try putting a line with just ; where the rules would go 
> and see if 
> >>> that compiles.
> >> What I'm saying is that the module compiles just fine without the 
> >> "require" section, and I think it might be better if it 
> didn't (or at 
> >> least emitted a warning) since the .fc part references 
> httpd_cache_t.
> >>
> >> Paul.
> >>
> > 
> > Not necessarilly. For example, a policy that declares 2 
> roles and does 
> > a role allow between them, while not useful, is valid. No 
> requirements 
> > would be necessary then.
> 
> In the example I gave earlier, file context types were used 
> in the .fc file; I just think it would make sense for these 
> to be "required" in the same way that they would be if they 
> were used in the .te file.
> 
> We're getting away from the original issue here though, which 
> was for clean support of policy module packages containing 
> file contexts and no rules, to avoid issues like this:
> 
> http://www.redhat.com/archives/fedora-selinux-list/2006-May/ms
> g00104.html
> 

It would be non-trivial to change the linker to enforce requires in file
contexts but I agree that it should at least be convention.

Back to the point, my email a few times back suggested putting a line
with just ; where the rules would be in order to get a module without
rules, have you tried that?