[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SELinux Module Packaging in FC5



Stephen Smalley wrote:
On Tue, 2006-05-16 at 17:33 +0100, Paul Howarth wrote:
It contains a policy module, but the module only includes file contexts.

Clarification:  it is a policy package (.pp), but the policy package
only includes file contexts.  The module itself is just the .mod file
created by checkmodule; it never includes file contexts.

Ah, right, thanks for the clarification.

If this is going to be common, then semodule_package and libsemanage
need to allow for policy packages that have no policy module.

I think it is, because changes to file contexts are much more easily managed using semodule, since the policy packages are versioned and semodule will always do the right thing when any newer version is installed.

The alternative, using semanage to tweak file contexts, could quickly become unmanageable. For example, suppose package foo went through some major revisions, moving files around the filesystem hierarchy that needed custom contexts. So the first version of the package would contain an semanage call to set contexts for say:

/var/www/foo/cache(/.*)

The next version moved the cache directory to /var/cache/foo, so a package upgrade would need to remove the context object set up in the first version and create a new one for:

/var/cache/foo(/.*)

There might then be an upstream name change from foo to bar, requiring contexts for:

/var/cache/bar(/.*)

The %post script for this package would need to identify the version of the package being upgraded (none, foo-1, foo-2, or bar), remove the appropriate context object (none, /var/www/foo/cache(/.*), /var/cache/foo(/.*)) if necessary and then install the new context object.

Using semanage, if the policy package remained as foo.pp throughout, "semodule -i foo.pp" would always do the right thing. If for the last version, the policy package changed to bar.pp, it could do "semodule -r foo.pp" first and discard any error messages or failure codes before running "semodule -i bar.pp". Much better I think.

The .te file is just:
---------------------------------------------------------------------
# It's currently only necessary to set file contexts for the cache directory
# in this policy, but doing it in a module is easier from a package maintenance
# point of view than using semanage and chcon in scriptlets

policy_module(contagged, 0.1)

This pulls in requires statements for the kernel classes and
permissions.  Which it seems are being confused with an attempt to
declare classes/permissions in the module by the older libsepol.

The .fc file is:
---------------------------------------------------------------------
/var/cache/contagged(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0)
---------------------------------------------------------------------

You can't use gen_context() there, can you?  I thought it had to be
preprocessed already.

I just copied from other .fc files I found in the policy sources, and it seems to work (usually). If I'm wrong, what should I be using?

The module was built on a system with:
$ rpm -q selinux-policy-targeted libsepol libsemanage
selinux-policy-targeted-2.2.38-1.fc5
libsepol-1.12.6-1.fc5
libsemanage-1.6.2-2.fc5

The error occurred when the package was installed on a system with:
$ rpm -q selinux-policy-targeted libsepol libsemanage
selinux-policy-targeted-2.2.34-3.fc5
libsepol-1.12.4-1.fc5
libsemanage-1.6.2-2.fc5

Hmmm...and what version of checkmodule was used to build it?

$ rpm -q checkpolicy
checkpolicy-1.30.3-1.fc5

Paul.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]