New design for policy on disk allowing multiple policy rpms to be simultaniously installed.

New design for policy on disk allowing multiple policy rpms to be simultaniously installed.

[Daniel J Walsh]

As I have been trying to build a new policy we kept on coming up with 
problems in replacing the current policy file with either strict or 
targeted policy.  In the next version of Fedora Core we will be shipping 
a targeted policy on the iso images.  We will continue to make the 
strict policy available separately.  The problem comes in that these 
policy files conflict and we continued to work on how we could allow 
them both to be installed and have the user  fairly easily switch 
between policies.  With this new design, I could envision other policies 
being added in the future and test machines able to switch between the 
policies.

1. We are breaking the policy file out into two separate policy packages

   selinux-policy-strict  (-source also)
        - Containing pretty much the current policy
   selinux-policy-targeted (-source also)
        - Containing a policy where most processed run in unconfined_t 
and only specific services run under a different security context.

2. Both packages obsolete the current policy rpm.

3. We want both policy files  to be installable and not conflict with 
each other.

4. Policy files will  be installed in the /etc/selinux/(strict|targeted) 
directory.
Under this tree there will be at least three additional directiories

policy/
    Containing the compiled policy file

contexts/
    Containing all the contexts files
    file_contexts, default_contexts, default_type
    users/
             Containing user specific default context files.  root in 
particular.

src/
    Containing the policy src directory.

5. Tools and libraries (fixfiles, libselinux, init, and setools) will be 
modified to use the /etc/sysconfig/selinux file to determine which 
policy to currently use on the system and where the policy files are 
located.

6. If during the install /etc/sysconfig/selinux does not exist or does 
not contain an entry for the type of policy,  the first one installed 
will set the context to itself.

cat /etc/sysconfig/selinux
#
# Change the following line to enforcing, permissive or disabled.
# On the next boot the machine will come up in one the selected mode
#
SELINUX=enforcing
#
# Select the type of policy that you are running current values are
#  strict and targeted
#
SELINUXTYPE=strict


So if nothing is in the /etc/sysconfig/selinux file and you install 
strict, strict will be added
to config file. If there is an entry then it will be left there.
This will allow the installation of both the Strict and Targeted policy 
and the user can change the choice via this file and can then relabel

7. We will not use symbolic links.  Use of symbolic links complicates 
policy and requires a user to modify them if he wanted to change the 
security context that he wants to run as.  Also you end up with 
conflicts in the post install scripts which need to replace the old 
symbolic link with a new one.

Comments?

Dan


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: New design for policy on disk allowing multiple policy rpms to be simultaniously installed.

[Jeff Johnson]

Daniel J Walsh wrote:

> As I have been trying to build a new policy we kept on coming up with 
> problems in replacing the current policy file with either strict or 
> targeted policy.  In the next version of Fedora Core we will be 
> shipping a targeted policy on the iso images.  We will continue to 
> make the strict policy available separately.  The problem comes in 
> that these policy files conflict and we continued to work on how we 
> could allow them both to be installed and have the user  fairly easily 
> switch between policies.  With this new design, I could envision other 
> policies being added in the future and test machines able to switch 
> between the policies.
>
> 1. We are breaking the policy file out into two separate policy packages
>
>   selinux-policy-strict  (-source also)
>        - Containing pretty much the current policy
>   selinux-policy-targeted (-source also)
>        - Containing a policy where most processed run in unconfined_t 
> and only specific services run under a different security context.

>
> 2. Both packages obsolete the current policy rpm.
>
> 3. We want both policy files  to be installable and not conflict with 
> each other.


Hmmm, how is rpm to find out which file_contexts is to be used? Or is 
targeted policy a strict ;-) subset
of strict policy?

>
> 4. Policy files will  be installed in the 
> /etc/selinux/(strict|targeted) directory.
> Under this tree there will be at least three additional directiories
>
> policy/
>    Containing the compiled policy file
>
> contexts/
>    Containing all the contexts files
>    file_contexts, default_contexts, default_type
>    users/
>             Containing user specific default context files.  root in 
> particular.
>
> src/
>    Containing the policy src directory.
>
> 5. Tools and libraries (fixfiles, libselinux, init, and setools) will 
> be modified to use the /etc/sysconfig/selinux file to determine which 
> policy to currently use on the system and where the policy files are 
> located.
>
> 6. If during the install /etc/sysconfig/selinux does not exist or does 
> not contain an entry for the type of policy,  the first one installed 
> will set the context to itself.


How much legacy compatibility is desired? I sure hope you say "None." ;-)

>
> cat /etc/sysconfig/selinux
> #
> # Change the following line to enforcing, permissive or disabled.
> # On the next boot the machine will come up in one the selected mode
> #
> SELINUX=enforcing
> #
> # Select the type of policy that you are running current values are
> #  strict and targeted
> #
> SELINUXTYPE=strict
>
>
> So if nothing is in the /etc/sysconfig/selinux file and you install 
> strict, strict will be added
> to config file. If there is an entry then it will be left there.
> This will allow the installation of both the Strict and Targeted 
> policy and the user can change the choice via this file and can then 
> relabel
>
> 7. We will not use symbolic links.  Use of symbolic links complicates 
> policy and requires a user to modify them if he wanted to change the 
> security context that he wants to run as.  Also you end up with 
> conflicts in the post install scripts which need to replace the old 
> symbolic link with a new one.


Well, the existing means to handle simultaneous installs of otherwise 
mutually exclusive packages is the
alternatives mechanism used to handle sendmail vs. postfix and lpd vs. cups.

Yes, symlinks, feeble, but that is the existing mechanism, might as well 
use if in the distro.

73 de Jeff




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: New design for policy on disk allowing multiple policy rpms to be simultaniously installed.

[Jeff Johnson]

Daniel J Walsh wrote:

>
>
> 6. If during the install /etc/sysconfig/selinux does not exist or does 
> not contain an entry for the type of policy,  the first one installed 
> will set the context to itself.
>
> cat /etc/sysconfig/selinux
> #
> # Change the following line to enforcing, permissive or disabled.
> # On the next boot the machine will come up in one the selected mode
> #
> SELINUX=enforcing
> #
> # Select the type of policy that you are running current values are
> #  strict and targeted
> #
> SELINUXTYPE=strict
>
>
> So if nothing is in the /etc/sysconfig/selinux file and you install 
> strict, strict will be added
> to config file. If there is an entry then it will be left there.
> This will allow the installation of both the Strict and Targeted 
> policy and the user can change the choice via this file and can then 
> relabel


Ah, you want Yet Another Config File parser added to all applications 
that need to determine which policy
is going to be installed. Well, that's doable, but, well, ick. Perhaps 
there is a new routine in libselinux to
simplify which policy obtains. There are run-time issues as well: What 
if you are upgrading from targeted
to strict, which regexes should be used during upgrade?

73 de Jeff


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: New design for policy on disk allowing multiple policy rpms to be simultaniously installed.

[Daniel J Walsh]

Jeff Johnson wrote:

> Daniel J Walsh wrote:
>
>> As I have been trying to build a new policy we kept on coming up with 
>> problems in replacing the current policy file with either strict or 
>> targeted policy.  In the next version of Fedora Core we will be 
>> shipping a targeted policy on the iso images.  We will continue to 
>> make the strict policy available separately.  The problem comes in 
>> that these policy files conflict and we continued to work on how we 
>> could allow them both to be installed and have the user  fairly 
>> easily switch between policies.  With this new design, I could 
>> envision other policies being added in the future and test machines 
>> able to switch between the policies.
>>
>> 1. We are breaking the policy file out into two separate policy packages
>>
>>   selinux-policy-strict  (-source also)
>>        - Containing pretty much the current policy
>>   selinux-policy-targeted (-source also)
>>        - Containing a policy where most processed run in unconfined_t 
>> and only specific services run under a different security context.
>
>
>>
>> 2. Both packages obsolete the current policy rpm.
>>
>> 3. We want both policy files  to be installable and not conflict with 
>> each other.
>
>
>
> Hmmm, how is rpm to find out which file_contexts is to be used? Or is 
> targeted policy a strict ;-) subset
> of strict policy?

libselinux is converted to use the correct one.  selinux_policypath is 
set the the dirctory where the policy is installed during library 
initialization. 

So files contexts would be in 
${selinux_policypath}/contexts/file_contexts please excuse the pseudo code.

>
>>
>> 4. Policy files will  be installed in the 
>> /etc/selinux/(strict|targeted) directory.
>> Under this tree there will be at least three additional directiories
>>
>> policy/
>>    Containing the compiled policy file
>>
>> contexts/
>>    Containing all the contexts files
>>    file_contexts, default_contexts, default_type
>>    users/
>>             Containing user specific default context files.  root in 
>> particular.
>>
>> src/
>>    Containing the policy src directory.
>>
>> 5. Tools and libraries (fixfiles, libselinux, init, and setools) will 
>> be modified to use the /etc/sysconfig/selinux file to determine which 
>> policy to currently use on the system and where the policy files are 
>> located.
>>
>> 6. If during the install /etc/sysconfig/selinux does not exist or 
>> does not contain an entry for the type of policy,  the first one 
>> installed will set the context to itself.
>
>
>
> How much legacy compatibility is desired? I sure hope you say "None." ;-)

We are looking for a clean break.  Since we have a small installed base, 
this should be possible.  :^)

>
>>
>> cat /etc/sysconfig/selinux
>> #
>> # Change the following line to enforcing, permissive or disabled.
>> # On the next boot the machine will come up in one the selected mode
>> #
>> SELINUX=enforcing
>> #
>> # Select the type of policy that you are running current values are
>> #  strict and targeted
>> #
>> SELINUXTYPE=strict
>>
>>
>> So if nothing is in the /etc/sysconfig/selinux file and you install 
>> strict, strict will be added
>> to config file. If there is an entry then it will be left there.
>> This will allow the installation of both the Strict and Targeted 
>> policy and the user can change the choice via this file and can then 
>> relabel
>>
>> 7. We will not use symbolic links.  Use of symbolic links complicates 
>> policy and requires a user to modify them if he wanted to change the 
>> security context that he wants to run as.  Also you end up with 
>> conflicts in the post install scripts which need to replace the old 
>> symbolic link with a new one.
>
>
>
> Well, the existing means to handle simultaneous installs of otherwise 
> mutually exclusive packages is the
> alternatives mechanism used to handle sendmail vs. postfix and lpd vs. 
> cups.
>
> Yes, symlinks, feeble, but that is the existing mechanism, might as 
> well use if in the distro.
>
> 73 de Jeff
>
>
>
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: New design for policy on disk allowing multiple policy rpms to be simultaniously installed.

[Stephen Smalley]

On Tue, 2004-05-25 at 15:18, Jeff Johnson wrote:
> Well, the existing means to handle simultaneous installs of otherwise 
> mutually exclusive packages is the
> alternatives mechanism used to handle sendmail vs. postfix and lpd vs. cups.
> 
> Yes, symlinks, feeble, but that is the existing mechanism, might as well 
> use if in the distro.

Can you elaborate on how this works presently?  How do you avoid
conflicts among multiple packages owning those symlinks?

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: New design for policy on disk allowing multiple policy rpms to be simultaniously installed.

[Jeff Johnson]

Stephen Smalley wrote:

>On Tue, 2004-05-25 at 15:18, Jeff Johnson wrote:
>  
>
>>Well, the existing means to handle simultaneous installs of otherwise 
>>mutually exclusive packages is the
>>alternatives mechanism used to handle sendmail vs. postfix and lpd vs. cups.
>>
>>Yes, symlinks, feeble, but that is the existing mechanism, might as well 
>>use if in the distro.
>>    
>>
>
>Can you elaborate on how this works presently?  How do you avoid
>conflicts among multiple packages owning those symlinks?
>
>  
>

Sure.

sendmail and postfix are mutually conflicting because both wish to use 
/usr/lib/sendmail.

So the path is a symlink, conflicts avoided because the symlink is not part
of any package, but rather a side effect of the install:
$ rpm -qf /usr/lib/sendmail
file /usr/lib/sendmail is not owned by any package

See also "man alternatives".

Here are the scripts from the sendmail package, edited to remove "other 
stuff":

$ rpm -q --scripts sendmail

postinstall scriptlet (using /bin/sh):

#
# Set up the alternatives files for MTAs.
#
/usr/sbin/alternatives --install /usr/sbin/sendmail mta 
/usr/sbin/sendmail.sendmail 90 \
        --slave /usr/bin/mailq mta-mailq /usr/bin/mailq.sendmail \
        --slave /usr/bin/newaliases mta-newaliases 
/usr/bin/newaliases.sendmail \
        --slave /usr/bin/rmail mta-rmail /usr/bin/rmail.sendmail \
        --slave /usr/lib/sendmail mta-sendmail /usr/lib/sendmail.sendmail \
        --slave /etc/pam.d/smtp mta-pam /etc/pam.d/smtp.sendmail \
        --slave /usr/share/man/man8/sendmail.8.gz mta-sendmailman 
/usr/share/man/man8/sendmail.sendmail.8.gz \
        --slave /usr/share/man/man1/mailq.1.gz mta-mailqman 
/usr/share/man/man1/mailq.sendmail.1.gz \
        --slave /usr/share/man/man1/newaliases.1.gz mta-newaliasesman 
/usr/share/man/man1/newaliases.sendmail.1.gz \
        --slave /usr/share/man/man5/aliases.5.gz mta-aliasesman 
/usr/share/man/man5/aliases.sendmail.5.gz \
        --initscript sendmail
 
 

preuninstall scriptlet (using /bin/sh):
if [ $1 = 0 ]; then
        /usr/sbin/alternatives --remove mta /usr/sbin/sendmail.sendmail
fi
exit 0
postuninstall scriptlet (using /bin/sh):
if [ "$1" -ge "1" ]; then
        mta=`readlink /etc/alternatives/mta`
        if [ "$mta" == "/usr/sbin/sendmail.sendmail" ]; then
                /usr/sbin/alternatives --set mta /usr/sbin/sendmail.sendmail
        fi
fi
exit 0

HTH

73 de Jeff


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.