SELinux Module Packaging in FC5

Joshua Brindle jbrindle at tresys.com
Wed Jun 21 13:48:01 UTC 2006 

> From: Paul Howarth [mailto:paul at city-fan.org] 
> 
> On Tue, 2006-06-20 at 16:12 -0400, Christopher J. PeBenito wrote:
> > On Fri, 2006-05-19 at 08:03 -0400, Stephen Smalley wrote:
> > > On Thu, 2006-05-18 at 13:39 +0100, Paul Howarth wrote:
> > > > Paul Howarth wrote:
> > > > > Stephen Smalley wrote:
> > > > >> On Tue, 2006-05-16 at 17:33 +0100, Paul Howarth wrote:
> > > > >>> It contains a policy module, but the module only 
> includes file contexts.
> > > > >>
> > > > >> If this is going to be common, then semodule_package and 
> > > > >> libsemanage need to allow for policy packages that 
> have no policy module.
> > [cut]
> > > - Cleanly supporting policy packages that do not include a binary 
> > > policy module in the tools (e.g. semodule_package) and 
> libraries (e.g.
> > > libsemanage, libsepol), so that they can be used to ship 
> just file 
> > > contexts or other components.  I don't know of any work 
> in progress 
> > > yet on that issue, so it may make sense to bugzilla it, 
> although it 
> > > is really an upstream issue, and there isn't presently an 
> upstream 
> > > bugzilla for selinux (just the mailing list).
> > 
> > I was looking at what it would take to support a package without a 
> > module.  Without the binary policy, there is one problem of 
> where the 
> > module name and version will come from.  We could either 
> add this to 
> > the package itself (which would require a policy package format 
> > change), or add a section to the package for module name 
> and version 
> > (which seems like a hack to me).
> 
> What I'm suggesting isn't a policy package with just file 
> contexts, it's one with no allow/dontaudit rules in the 
> policy, like this:
> 
> ::::::::::::::
> contagged.if
> ::::::::::::::
> # contagged.if
> #
> # This module has no interfaces
> ::::::::::::::
> contagged.fc
> ::::::::::::::
> /var/cache/contagged(/.*)?
> gen_context(system_u:object_r:httpd_cache_t,s0)
> ::::::::::::::
> contagged.te
> ::::::::::::::
> # It's currently only necessary to set file contexts for the 
> cache directory # in this policy, but doing it in a module is 
> easier from a package maintenance # point of view than using 
> semanage and chcon in scriptlets
> 
> policy_module(contagged, 0.3)
> 
> ########################################
> #
> # Declarations
> #
> 
> require {
>         type httpd_cache_t;
> };
> 
> 
> ########################################
> #
> # Local policy
> #
> 
> # (none needed)
> 
> > More importantly, I believe a package without a module does 
> not make 
> > sense because the types and users used in the file contexts should 
> > either be declared or required by the module in the package.  
> > Otherwise the transaction fails late when the file contexts are 
> > validated, rather than early during linking.
> 
> I agree. It would make sense for compilation/linking of the 
> module above to fail if the "require" wasn't present. 
> Currently that doesn't happen.
> 
> Paul.
> 

Try putting a line with just ; where the rules would go and see if that
compiles.

More information about the fedora-selinux-list mailing list