RE: [PATCH 13/13] semanage store migration script

[James Carter <jwcart2@tycho.nsa.gov>]

On Fri, 2010-01-08 at 16:27 -0500, Caleb Case wrote:
> > -----Original Message-----
> > From: James Carter [mailto:jwcart2@tycho.nsa.gov]
> > Sent: Friday, January 08, 2010 4:00 PM
> > To: Stephen Smalley
> > Cc: Caleb Case; selinux@tycho.nsa.gov; Chad Sellers; Karl MacMillan;
> > Joshua Brindle
> > Subject: Re: [PATCH 13/13] semanage store migration script
> > 
> > On Fri, 2010-01-08 at 10:34 -0500, Stephen Smalley wrote:
> > > On Wed, 2009-12-23 at 18:26 -0500, Caleb Case wrote:
> > > > We created a migration script to ease the burden of transition
> from
> > the
> > > > old libsemanage store layout to the new. The script will detect
> all
> > the
> > > > stores in /etc/selinux using the old layout and convert them to
> the
> > new
> > > > layout in /var/lib/selinux. It also allows you to specify the
> default
> > > > priority to use with -p and store to operate on with -s. After
> > migration
> > > > the script by default will leave the old store unchanged, but can
> be
> > > > told to remove the old modules directory with -c.
> > > >
> > > > Examples:
> > > >
> > > > # Migrate all stores to the new layout.
> > > > migrate.py
> > > >
> > > > Migrating from /etc/selinux/targeted/modules/active to
> > /var/lib/selinux/targeted/active
> > > > Attempting to rebuild policy from /var/lib/selinux
> > > >
> > > > # Migrate only the targeted store.
> > > > migrate.py -s targeted
> > > >
> > > > Migrating from /etc/selinux/targeted/modules/active to
> > /var/lib/selinux/targeted/active
> > > > Attempting to rebuild policy from /var/lib/selinux
> > > >
> > > > # Migrate all, but install to priority 150.
> > > > migrate.py -p 150
> > > >
> > > > Migrating from /etc/selinux/targeted/modules/active to
> > /var/lib/selinux/targeted/active
> > > > Attempting to rebuild policy from /var/lib/selinux
> > >
> > > I tried the following:
> > > semanage login -a -s user_u pi
> > > cp -a /etc/selinux /etc/selinux.orig
> > > install new userland
> > > migrate.py
> > > diff -ru /etc/selinux.orig /etc/selinux
> > >
> > > The seusers entry for "pi" was dropped from the final seusers file
> in
> > > the rebuilt policy.
> > >
> > 
> > I saw the same thing.  I added a new login, but it does not show up
> > after the migration with "semanage login -l" even though it is
> > in /var/lib/selinux/targeted/active/seusers and seusers.final.
> > 
> > booleans, ports, file contexts, and permissive domains all show up
> after
> > the migration, but there are some other issues.
> > 
> > 
> > 1)  For booleans I am getting this error:
> > 
> > # semanage boolean --on git_system_use_cifs
> > Traceback (most recent call last):
> >   File "/usr/sbin/semanage", line 460, in <module>
> >     process_args(sys.argv[1:])
> >   File "/usr/sbin/semanage", line 407, in process_args
> >     raise ValueError(_("Invalid command") % " ".join(argv))
> > TypeError: not all arguments converted during string formatting
> > 
> > 
> > 
> > 2)  Either the priority stuff doesn't work or I am doing something
> > wrong.  Shouldn't either of the following not display any modules
> since
> > they are all at priority 100?
> > 
> > "semodule -p 900 -l" or "semodule -p 900; semodule -l"
> > 
> > Both display all modules.
> 
> The list command is not affected by the priority setting. Maybe it
> should be? Currently the priority is defaulted to 400 in semodule, but
> we could have it default to 0 and check in the -i/u/r cases for 0 and
> set to 400 and then filter the modules in -l if priority != 0.
> 
It seems like most of the time a person will just want to see the
enabled modules.  At times, though, they might want to see which
priority each enabled module is at, or to see all the modules at a given
priority.

> > 
> > 
> > 3)  I can't remove the permissive domain created before the migration
> > because the default priority level is 400, but the script put
> everything
> > at priority 100 and I don't know how to change the priority for
> > semanage.
> 
> semanage hasn't been updated yet to let you specify priorities.
> 
I noticed. ;)
So why does the migration script put everything into priority 100
instead of the default priority?

> > 
> > # semanage permissive -d httpd_t
> > libsemanage.semanage_direct_remove_key: Unable to remove module
> > directory
> /var/lib/selinux/targeted/tmp/modules/400/permissive_httpd_t.
> > (No such file or directory).
> > /usr/sbin/semanage: Could not remove permissive domain httpd_t (remove
> > failed)
> > 
> > 
> > Ports and file contexts addition and removal seems to work fine.
> > 
> > --
> > James Carter <jwcart2@tycho.nsa.gov>
> > National Security Agency
> > 
> 
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.

-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.