SELinux Module Packaging in FC5

Tue May 16 14:25:35 UTC 2006

On Tue, 2006-05-16 at 15:08 +0100, Paul Howarth wrote:
> Stephen Smalley wrote:
> > On Tue, 2006-03-14 at 10:29 +0000, Paul Howarth wrote:
> >> Is there any documentation anywhere on including SELinux Policy Modules 
> >> in packages (e.g. for Extras) in FC5? For instance, is there a directory 
> >> where modules can be dropped into so that they get picked up 
> >> aotomatically? Where should they live?
> > 
> > Yes, this would be useful to document in the Fedora SELinux wiki.
> > Ideally, policy for a given software package should live in its own
> > package on which the software package depends so that the package
> > manager will install (and thus load) the policy before it tries to
> > unpack the software package (thereby ensuring that any necessary file
> > types are already defined in the kernel policy), e.g. package foo would
> > depend on foo-policy.  Not certain where the foo-policy package should
> > drop its policy module, possibly under /usr/share/selinux/foo, and then
> > it can install it by running semodule -i from its %post scriptlet.
> 
> I've tried this and it doesn't quite work as I expected.
> 
> I have a main package "contagged" and a subpackage "contagged-policy".
> 
> The "contagged" packages has:
> 
> Requires:       contagged-policy = %{version}-%{release}
> Requires(pre):  contagged-policy = %{version}-%{release}
> 
> This ensures that the policy package is installed before the main 
> package, and hangs around as long as the main package itself.
> 
> The policy package dumps policy in 
> %{_datadir}/selinux/packages/contagged and uses scriptlets to handle 
> module insertion and removal:
> 
> %post policy
> [ -x /usr/sbin/semodule ] && /usr/sbin/semodule -i 
> %{_datadir}/selinux/packages/contagged/contagged.pp || :
> 
> %postun policy
> [ $1 -eq 0 ] && [ -x /usr/sbin/semodule ] && /usr/sbin/semodule -r 
> contagged || :
> 
> The only thing the policy module is actually doing is specifying a file 
> context in contagged.fc:
> 
> /var/cache/contagged(/.*)? 
> gen_context(system_u:object_r:httpd_cache_t,s0)
> 
> If contagged-policy is installed first, and then the contagged package 
> is installed (separate rpm transactions), the file contexts get set up 
> as expected. However, if both are done in the same RPM transaction, the 
> packages get installed in the right order (and there is a noticeable 
> delay after installing the policy subpackage where semodule is being 
> called) but the context for directory /var/cache/contagged is left as 
> system_u:object_r:var_t. I suspect that the reason for this is that rpm 
> installs the files for all packages in the transaction and sets their 
> file contexts before running (presumably in order) the %post scripts for 
> the packages.
> 
> This rather defeats the purpose of having the separate -policy package, 
> since I need to use restorecon to fix the file contexts at post-install 
> time in case both packages are installed in the same transaction (a 
> likely scenario). I could do this equally well using a single package, 
> but it's untidy (I have to specify the pathnames that need non-standard 
> contexts in both the .fc policy file and as an argument to restorecon in 
> %post). I really prefer the separate package solution, but I think that 
> would need changes in rpm, which might be hard to get done.
> 
> Any thoughts?

Yes, it appears that the separate -policy package approach isn't going
to work after all (also raised separately on selinux list), so a
different approach is under investigation.  It requires some changes
kernel side (to allow rpm to set down files in their proper contexts
first, then load the policy module that defines them - see kernel patch
posted to selinux list), as well as some userland changes to allow rpm
to determine the file contexts from the .pp file without having to
install it first.  And I think that they want to have rpm compute the
file contexts and store them in the rpm headers again as in FC2 at build
time, then only override them at install time if you aren't using the
default policy.

-- 
Stephen Smalley
National Security Agency