From: Joshua Brindle <jbrindle@tresys.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Ivan Gyurdiev <ivg2@cornell.edu>,
SELinux-dev@tresys.com, dwalsh@redhat.com, selinux@tycho.nsa.gov
Subject: Re: [ SEMANAGE ] [ SEPOL ] More database work
Date: Wed, 12 Oct 2005 12:19:30 -0400 [thread overview]
Message-ID: <434D3792.7020606@tresys.com> (raw)
In-Reply-To: <1129131866.3308.282.camel@moss-spartans.epoch.ncsc.mil>
Stephen Smalley wrote:
> On Wed, 2005-10-12 at 11:34 -0400, Joshua Brindle wrote:
>
>>Alternatively if an appropriate binary cannot be found one can be
>>expanded from the linked policy in the module store. This would give a
>>(hopefully) lossless and current binary policy. It would make startup
>>slower in the case that a policy can't be found but seems better than
>>loading a stale policy or none at all.
>>
>>This follows on the theme of not mangling the binary image once it gets
>>to load_policy/init, which I think is important. If semanage is managing
>>the policy this should be included in that.
>
Now that I think of it this can still lead to a stale policy if one was
previously generated but the linked policy was since updated.
I think that we need to make libsemanage remove all binary policies in
the binary policy directory when a new policy is install.
>
> I can't quite imagine init invoking libsemanage to generate a policy
> file for it to load. It would also create a circular dependency between
> libselinux (which now contains all of the load policy logic and thus
> would end up being modified for this purpose) and libsemanage (which
> already depends on libselinux).
>
> As for modifying the binary policy image at load time, Karl already
> agreed that the preservation of current boolean settings (in the
> load_policy case, not the init case) has to remain part of that logic.
> So regenerating to a different policy version in memory isn't especially
> different/difficult there.
The boolean preservation case is a special case, I think we should try
to limit binary image mutating as much as possible though.
>
> Offhand, I think that the only case where neither libsepol nor
> libsemanage will yield the same policy as checkpolicy if downgrading
> policy versions is the netlink class case, as checkpolicy does
> manipulation during the policy source parsing itself there. But that
> change occurred circa 2.6.9 and was an unusual use of the version
> mechanism, so it likely isn't much of a concern now.
>
hrm, should the logic in checkpolicy be moved to libsepol/write.c so
that it will always be consistent?
I know the current versions allow downgrading that shouldn't affect the
security properties of the policy but I don't see how it can be
guaranteed that this is the case for every future version.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2005-10-12 16:19 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-10-06 16:01 [ SEMANAGE ] [ SEPOL ] More database work Ivan Gyurdiev
2005-10-06 16:05 ` Ivan Gyurdiev
2005-10-06 19:27 ` Stephen Smalley
2005-10-07 14:30 ` Stephen Smalley
2005-10-07 15:52 ` Stephen Smalley
2005-10-07 18:30 ` Stephen Smalley
2005-10-07 19:36 ` Joshua Brindle
2005-10-07 19:54 ` Stephen Smalley
2005-10-07 20:15 ` Joshua Brindle
2005-10-07 20:23 ` Stephen Smalley
2005-10-07 20:41 ` Joshua Brindle
2005-10-11 19:15 ` Stephen Smalley
2005-10-11 20:05 ` Stephen Smalley
2005-10-11 20:17 ` Stephen Smalley
2005-10-11 22:45 ` Joshua Brindle
2005-10-11 22:51 ` Joshua Brindle
2005-10-12 14:58 ` Stephen Smalley
2005-10-12 15:34 ` Joshua Brindle
2005-10-12 15:44 ` Stephen Smalley
2005-10-12 16:19 ` Joshua Brindle [this message]
2005-10-12 16:26 ` Stephen Smalley
2005-10-12 18:06 ` Joshua Brindle
2005-10-12 19:52 ` Stephen Smalley
2005-10-12 20:11 ` Stephen Smalley
2005-10-13 16:43 ` Stephen Smalley
2005-10-13 18:43 ` Stephen Smalley
2005-10-13 18:54 ` Stephen Smalley
2005-10-12 20:16 ` Joshua Brindle
2005-10-12 20:43 ` Stephen Smalley
2005-10-07 21:17 ` Stephen Smalley
2005-10-07 22:48 ` Ivan Gyurdiev
2005-10-11 12:32 ` Stephen Smalley
2005-10-11 12:51 ` Stephen Smalley
2005-10-13 19:29 ` Stephen Smalley
2005-10-13 22:35 ` Joshua Brindle
2005-10-14 12:02 ` Stephen Smalley
2005-10-14 13:33 ` Joshua Brindle
2005-10-14 13:49 ` Stephen Smalley
2005-10-07 19:37 ` Stephen Smalley
2005-10-07 15:52 ` Ivan Gyurdiev
2005-10-07 16:01 ` Stephen Smalley
2005-10-07 16:05 ` Stephen Smalley
2005-10-07 16:46 ` Ivan Gyurdiev
2005-10-07 17:04 ` Stephen Smalley
2005-10-07 16:06 ` Joshua Brindle
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=434D3792.7020606@tresys.com \
--to=jbrindle@tresys.com \
--cc=SELinux-dev@tresys.com \
--cc=dwalsh@redhat.com \
--cc=ivg2@cornell.edu \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.