[ SEMANAGE ] Install seusers, rename some files

[ SEMANAGE ] Install seusers, rename some files

[Ivan Gyurdiev]

[-- Attachment #1: Type: text/plain, Size: 201 bytes --]

Changes:
- adds seuser install code
- renames for consistency:
   port_contexts -> ports.local
   (empty)         -> interfaces.local
   local.users     -> users.local
   (and we have booleans.local)


[-- Attachment #2: libsemanage.install_seusers.diff --]
[-- Type: text/x-patch, Size: 4772 bytes --]

diff -Naurp --exclude CVS --exclude ChangeLog --exclude VERSION --exclude Makefile old/libsemanage/src/database_policydb.c new/libsemanage/src/database_policydb.c
--- old/libsemanage/src/database_policydb.c	2005-10-31 11:09:39.000000000 -0500
+++ new/libsemanage/src/database_policydb.c	2005-10-31 19:53:49.000000000 -0500
@@ -106,7 +106,7 @@ static int dbase_policydb_cache(
 	free(fname);
 	dbase->cached = 1;
 	return STATUS_SUCCESS;
-	
+
 	err:
 	ERR(handle, "unable to cache policy database from %s", fname);
 
diff -Naurp --exclude CVS --exclude ChangeLog --exclude VERSION --exclude Makefile old/libsemanage/src/interfaces_file.c new/libsemanage/src/interfaces_file.c
--- old/libsemanage/src/interfaces_file.c	2005-10-31 11:09:39.000000000 -0500
+++ new/libsemanage/src/interfaces_file.c	2005-10-31 19:10:48.000000000 -0500
@@ -54,7 +54,7 @@ record_file_table_t SEMANAGE_IFACE_FILE_
 int iface_file_dbase_init(dbase_config_t* dconfig) {
 	
 	if (dbase_file_init(
-		"", /* FIXME */	
+		"interfaces.local",	
 		&SEMANAGE_IFACE_RTABLE,
 		&SEMANAGE_IFACE_FILE_RTABLE, 
 		&dconfig->dbase) < 0)
diff -Naurp --exclude CVS --exclude ChangeLog --exclude VERSION --exclude Makefile old/libsemanage/src/ports_file.c new/libsemanage/src/ports_file.c
--- old/libsemanage/src/ports_file.c	2005-10-31 11:09:39.000000000 -0500
+++ new/libsemanage/src/ports_file.c	2005-10-31 19:10:26.000000000 -0500
@@ -135,7 +135,7 @@ record_file_table_t SEMANAGE_PORT_FILE_R
 int port_file_dbase_init(dbase_config_t* dconfig) {
 
 	if (dbase_file_init(
-		"port_contexts",
+		"ports.local",
 		&SEMANAGE_PORT_RTABLE,
 		&SEMANAGE_PORT_FILE_RTABLE,
 		&dconfig->dbase) < 0)
diff -Naurp --exclude CVS --exclude ChangeLog --exclude VERSION --exclude Makefile old/libsemanage/src/semanage_store.c new/libsemanage/src/semanage_store.c
--- old/libsemanage/src/semanage_store.c	2005-10-27 15:27:03.000000000 -0400
+++ new/libsemanage/src/semanage_store.c	2005-10-31 19:45:08.000000000 -0500
@@ -94,7 +94,8 @@ static const char *semanage_sandbox_path
 	"/file_contexts",
 	"/homedir_template",
 	"/file_contexts.template",
-	"/commit_num"
+	"/commit_num",
+	"/seusers"
 };
 
 /* Initialize the paths to config file, lock files and store root.
@@ -851,10 +852,12 @@ static int semanage_install_active(seman
 	const char *active_kernel = semanage_path(SEMANAGE_ACTIVE,SEMANAGE_KERNEL);
 	const char *active_fc = semanage_path(SEMANAGE_ACTIVE, SEMANAGE_FC);
 	const char *active_hd = semanage_path(SEMANAGE_ACTIVE, SEMANAGE_HOMEDIR_TMPL);
+	const char *active_seusers = semanage_path(SEMANAGE_ACTIVE, SEMANAGE_SEUSERS);
 
 	const char *running_fc = selinux_file_context_path();
 	const char *running_hd = selinux_homedir_context_path();
 	const char *running_policy = selinux_binary_policy_path();
+	const char *running_seusers = selinux_usersconf_path(); 
 	const char *really_active_store = selinux_policy_root();
 
 	/* This is very unelegant, the right thing to do is export the path 
@@ -863,11 +866,13 @@ static int semanage_install_active(seman
 	char store_fc[PATH_MAX];
 	char store_hd[PATH_MAX];
 	char store_pol[PATH_MAX];
+	char store_seusers[PATH_MAX];
 	
 	len = strlen(really_active_store);
 	running_fc += len;
 	running_hd += len;
 	running_policy += len;
+	running_seusers += len;
 
 	len = strlen(selinux_path()) + strlen(sh->conf->store_path) + 1;
 	storepath = (char *)malloc(len);
@@ -894,6 +899,12 @@ static int semanage_install_active(seman
 		goto cleanup;
 	}
 
+	snprintf(store_seusers, PATH_MAX, "%s%s", storepath, running_seusers);
+	if (semanage_copy_file(active_seusers, store_seusers) == -1) {
+		ERR(sh, "Could not copy %s to %s.", active_seusers, store_seusers);
+		goto cleanup;
+	}
+
 	if (!sh->do_reload)
 		goto skip_reload;
 
diff -Naurp --exclude CVS --exclude ChangeLog --exclude VERSION --exclude Makefile old/libsemanage/src/semanage_store.h new/libsemanage/src/semanage_store.h
--- old/libsemanage/src/semanage_store.h	2005-10-25 08:25:32.000000000 -0400
+++ new/libsemanage/src/semanage_store.h	2005-10-31 19:11:36.000000000 -0500
@@ -44,6 +44,7 @@ enum semanage_sandbox_defs {
 	SEMANAGE_HOMEDIR_TMPL,
 	SEMANAGE_FC_TMPL,
 	SEMANAGE_COMMIT_NUM_FILE,
+	SEMANAGE_SEUSERS,
 	SEMANAGE_STORE_NUM_PATHS
 };
 
diff -Naurp --exclude CVS --exclude ChangeLog --exclude VERSION --exclude Makefile old/libsemanage/src/users_file.c new/libsemanage/src/users_file.c
--- old/libsemanage/src/users_file.c	2005-10-31 11:09:39.000000000 -0500
+++ new/libsemanage/src/users_file.c	2005-10-31 19:10:00.000000000 -0500
@@ -229,7 +229,7 @@ record_file_table_t SEMANAGE_USER_FILE_R
 int user_file_dbase_init(dbase_config_t* dconfig) {
 	
 	if (dbase_file_init(
-		"local.users",
+		"users.local",
 		&SEMANAGE_USER_RTABLE,
 		&SEMANAGE_USER_FILE_RTABLE, 
 		&dconfig->dbase) < 0)

Re: [ SEMANAGE ] Install seusers, rename some files

[Stephen Smalley]

On Mon, 2005-10-31 at 20:12 -0500, Ivan Gyurdiev wrote:
> Changes:
> - adds seuser install code
> - renames for consistency:
>    port_contexts -> ports.local
>    (empty)         -> interfaces.local
>    local.users     -> users.local
>    (and we have booleans.local)

diff -Naurp --exclude CVS --exclude ChangeLog --exclude VERSION --exclude Makefile old/libsemanage/src/semanage_store.c new/libsemanage/src/semanage_store.c
--- old/libsemanage/src/semanage_store.c	2005-10-27 15:27:03.000000000 -0400
+++ new/libsemanage/src/semanage_store.c	2005-10-31 19:45:08.000000000 -0500
@@ -894,6 +899,12 @@ static int semanage_install_active(seman
 		goto cleanup;
 	}
 
+	snprintf(store_seusers, PATH_MAX, "%s%s", storepath, running_seusers);
+	if (semanage_copy_file(active_seusers, store_seusers) == -1) {
+		ERR(sh, "Could not copy %s to %s.", active_seusers, store_seusers);
+		goto cleanup;
+	}
+
 	if (!sh->do_reload)
 		goto skip_reload;
 

I'm not sure about this; at present, it has the side effect that a
semodule -b base.pp will fail upon the attempt to copy seusers (because
there isn't one in the sandbox presently, not even an empty stub).  We
also have to be careful about not clobbering any existing seusers file
during the migration, although I suppose that will be handled by moving
it into the sandbox upon policy upgrade, as with booleans.local.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ SEMANAGE ] Install seusers, rename some files

[Ivan Gyurdiev]

> I'm not sure about this; at present, it has the side effect that a
> semodule -b base.pp will fail upon the attempt to copy seusers (because
> there isn't one in the sandbox presently, not even an empty stub).
Yes, the seusers from /etc/selinux/strict/seusers have to get in the 
sandbox somehow...
I'm not entirely sure how, but I think Tresys has indicated that should 
occur through the APIs, rather than by copying it in.

This is only necessary for migration...
>   We also have to be careful about not clobbering any existing seusers file
> during the migration, although I suppose that will be handled by moving
> it into the sandbox upon policy upgrade, as with booleans.local
The authoritative seusers file should be in the sandbox. Personally I 
think all authoritative files should be in the sandbox, and not get 
copied from place to place...  but that's not how things work currently. 
By the way, direct modifications of the /etc/selinux/seusers file will 
be overwritten by libsemanage (but I think the goal is that there should 
be no direct modifications..)

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ SEMANAGE ] Install seusers, rename some files

[Stephen Smalley]

On Tue, 2005-11-01 at 15:34 -0500, Ivan Gyurdiev wrote:
> Yes, the seusers from /etc/selinux/strict/seusers have to get in the 
> sandbox somehow...
> I'm not entirely sure how, but I think Tresys has indicated that should 
> occur through the APIs, rather than by copying it in.

I think moving the local files into the sandbox upon policy update (via
%post scriptlet in the policy package) is reasonable, as this is only
needed for migration and will not be done subsequently.  All subsequent
manipulation of the files will then be done on individual records via
the API, but we don't want to go that route for the initial populating
of the sandbox for the local files.  For modules, it is a different
matter, as installing complete modules is a normal part of the API, not
just a migration requirement, so we can use that API as is (via
semodule).

> This is only necessary for migration...

Yes.  But we need to avoid breaking use of semodule -b now via this
patch until such a time as the seusers support is in place, so possibly
I should just change the error handling here to just WARN and proceed
with the reload.

> The authoritative seusers file should be in the sandbox. Personally I 
> think all authoritative files should be in the sandbox, and not get 
> copied from place to place...  but that's not how things work currently. 
> By the way, direct modifications of the /etc/selinux/seusers file will 
> be overwritten by libsemanage (but I think the goal is that there should 
> be no direct modifications..)

The "active" files need to have some standard location that is known to
libselinux, regardless of whether that standard location is inside or
outside of the sandbox.  Using the existing standard locations outside
the sandbox is good for compatibility as well as enabling the sandbox to
remain fully private to libsemanage (so we can restructure it at any
time without affecting libselinux).  I do agree however that copying for
the final installation of the files is not good, and needs to be
replaced by an atomic rename.

Yes, the goal should be to eliminate any direct editing of seusers or
any other local files, and require the use of utilities that go through
libsemanage for all such modifications.  The utilities and/or
libsemanage can then be instrumented for auditing such modifications.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ SEMANAGE ] Install seusers, rename some files

[Ivan Gyurdiev]

>
> I think moving the local files into the sandbox upon policy update (via
> %post scriptlet in the policy package) is reasonable, as this is only
> needed for migration and will not be done subsequently.
I guess at that point we also want to migrate booleans.local, 
local.users, and install the base module?
Dan, can you add such a script?

- copy /etc/selinux/?/seusers into /etc/selinux/?/modules/active/seusers
- copy /etc/selinux/?/local.users into 
/etc/selinux/?/modules/active/users.local [ renamed ]
- copy /etc/selinux/?/booleans.local into 
/etc/selinux/?/modules/active/booleans.local
- install base module into /etc/selinux/?/modules/active/base.pp (is 
this managed by rpm?)
> Yes.  But we need to avoid breaking use of semodule -b now via this
> patch until such a time as the seusers support is in place, so possibly
> I should just change the error handling here to just WARN and proceed
> with the reload.
Hmm... that sounds reasonable... I think.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ SEMANAGE ] Install seusers, rename some files

[Joshua Brindle]

Ivan Gyurdiev wrote:
>>
>> I think moving the local files into the sandbox upon policy update (via
>> %post scriptlet in the policy package) is reasonable, as this is only
>> needed for migration and will not be done subsequently.
> 
> I guess at that point we also want to migrate booleans.local, 
> local.users, and install the base module?
> Dan, can you add such a script?
> 
> - copy /etc/selinux/?/seusers into /etc/selinux/?/modules/active/seusers
fine

> - copy /etc/selinux/?/local.users into 
> /etc/selinux/?/modules/active/users.local [ renamed ]
this could potentially be done the same way as booleans below, except 
that there isn't a user of the user api in libsemanage yet, so that 
would be written; with seuser handling the vast majority of users now 
this isn't very high priority.

> - copy /etc/selinux/?/booleans.local into 
> /etc/selinux/?/modules/active/booleans.local
not sure about this. It would not be difficult to read the old booleans 
file and pipe the info through setsebool -p.

> - install base module into /etc/selinux/?/modules/active/base.pp (is 
> this managed by rpm?)
> 
the base.pp will be placed in /usr/share/selinux and then be installed 
via semodule -b.


>> Yes.  But we need to avoid breaking use of semodule -b now via this
>> patch until such a time as the seusers support is in place, so possibly
>> I should just change the error handling here to just WARN and proceed
>> with the reload.
> 
> Hmm... that sounds reasonable... I think.
> 
Not even sure a warn is necessary IMO, read other response.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ SEMANAGE ] Install seusers, rename some files

[Ivan Gyurdiev]

>> - copy /etc/selinux/?/local.users into 
>> /etc/selinux/?/modules/active/users.local [ renamed ]
> this could potentially be done the same way as booleans below, except 
> that there isn't a user of the user api in libsemanage yet, so that 
> would be written; with seuser handling the vast majority of users now 
> this isn't very high priority.
>
>> - copy /etc/selinux/?/booleans.local into 
>> /etc/selinux/?/modules/active/booleans.local
> not sure about this. It would not be difficult to read the old 
> booleans file and pipe the info through setsebool -p.
setsebool -p does not go through libsemanage as of right now...
I haven't written any users of libsemanage - I've been focusing on the 
library so far..


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ SEMANAGE ] Install seusers, rename some files

[Stephen Smalley]

On Tue, 2005-11-01 at 16:42 -0500, Ivan Gyurdiev wrote:
> >> - copy /etc/selinux/?/local.users into 
> >> /etc/selinux/?/modules/active/users.local [ renamed ]
> > this could potentially be done the same way as booleans below, except 
> > that there isn't a user of the user api in libsemanage yet, so that 
> > would be written; with seuser handling the vast majority of users now 
> > this isn't very high priority.
> >
> >> - copy /etc/selinux/?/booleans.local into 
> >> /etc/selinux/?/modules/active/booleans.local
> > not sure about this. It would not be difficult to read the old 
> > booleans file and pipe the info through setsebool -p.
> setsebool -p does not go through libsemanage as of right now...
> I haven't written any users of libsemanage - I've been focusing on the 
> library so far..

Yes, but the plan is to move setsebool from libselinux to
libsemanage/utils or policycoreutils and rewrite it to use libsemanage.
Nonetheless, I can't see running it all through setsebool as being
particularly desirable.  Makes more sense to me to just move the files
once for migration and be done with it.  That also simplifies the
problem of atomically setting up the entire sandbox; we can move all of
the local files first, then run semodule -b, and the final commit should
just work since everything will be in place.  I suppose one could
alternatively install the base module first via semodule -b (possibly
with -n too to avoid immediate load), and then apply setsebool -P.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ SEMANAGE ] Install seusers, rename some files

[Stephen Smalley]

On Tue, 2005-11-01 at 16:12 -0500, Ivan Gyurdiev wrote:
> Dan, can you add such a script?
> 
> - copy /etc/selinux/?/seusers into /etc/selinux/?/modules/active/seusers
> - copy /etc/selinux/?/local.users into 
> /etc/selinux/?/modules/active/users.local [ renamed ]
> - copy /etc/selinux/?/booleans.local into 
> /etc/selinux/?/modules/active/booleans.local
> - install base module into /etc/selinux/?/modules/active/base.pp (is 
> this managed by rpm?)

For the last one, you can just do a semodule -b base.pp, and let
libsemanage handle it.  The module API already allows for such
installation of the modules, unlike the local APIs.  And while we could
add local APIs for installing an entire local file as a single
operation, I don't see the point since this only needs to happen for
migration purposes.

> > Yes.  But we need to avoid breaking use of semodule -b now via this
> > patch until such a time as the seusers support is in place, so possibly
> > I should just change the error handling here to just WARN and proceed
> > with the reload.
> Hmm... that sounds reasonable... I think.

Ok, that's what I will do for now.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ SEMANAGE ] Install seusers, rename some files

[Stephen Smalley]

On Tue, 2005-11-01 at 16:12 -0500, Ivan Gyurdiev wrote:
> >
> > I think moving the local files into the sandbox upon policy update (via
> > %post scriptlet in the policy package) is reasonable, as this is only
> > needed for migration and will not be done subsequently.
> I guess at that point we also want to migrate booleans.local, 
> local.users, and install the base module?
> Dan, can you add such a script?
> 
> - copy /etc/selinux/?/seusers into /etc/selinux/?/modules/active/seusers
> - copy /etc/selinux/?/local.users into 
> /etc/selinux/?/modules/active/users.local [ renamed ]
> - copy /etc/selinux/?/booleans.local into 
> /etc/selinux/?/modules/active/booleans.local
> - install base module into /etc/selinux/?/modules/active/base.pp (is 
> this managed by rpm?)

BTW, on the "is this managed by rpm?" question:  The copying into the
sandbox would be handled by %post scriptlet, so the sandbox file paths
would not be "owned" by the package as far as rpm is concerned (IIUC).
So it shouldn't be a problem.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ SEMANAGE ] Install seusers, rename some files

[Ivan Gyurdiev]

>> I guess at that point we also want to migrate booleans.local, 
>> local.users, and install the base module?
>> Dan, can you add such a script?
>>
>> - copy /etc/selinux/?/seusers into /etc/selinux/?/modules/active/seusers
>> - copy /etc/selinux/?/local.users into 
>> /etc/selinux/?/modules/active/users.local [ renamed ]
>> - copy /etc/selinux/?/booleans.local into 
>> /etc/selinux/?/modules/active/booleans.local
>> - install base module into /etc/selinux/?/modules/active/base.pp (is 
>> this managed by rpm?)
>>     
>
> BTW, on the "is this managed by rpm?" question:  The copying into the
> sandbox would be handled by %post scriptlet, so the sandbox file paths
> would not be "owned" by the package as far as rpm is concerned (IIUC).
> So it shouldn't be a problem.
>   
Right, but it seems we need Makefile support for installing the base 
module in /usr/share/selinux.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ SEMANAGE ] Install seusers, rename some files

[Stephen Smalley]

On Tue, 2005-11-01 at 16:31 -0500, Ivan Gyurdiev wrote:
> Right, but it seems we need Makefile support for installing the base 
> module in /usr/share/selinux.

Yes, hopefully this will get hashed out tomorrow.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ SEMANAGE ] Install seusers, rename some files

[Ivan Gyurdiev]

>>
>> I think moving the local files into the sandbox upon policy update (via
>> %post scriptlet in the policy package) is reasonable, as this is only
>> needed for migration and will not be done subsequently.
> I guess at that point we also want to migrate booleans.local, 
> local.users, and install the base module?
> Dan, can you add such a script?
>
> - copy /etc/selinux/?/seusers into /etc/selinux/?/modules/active/seusers
> - copy /etc/selinux/?/local.users into 
> /etc/selinux/?/modules/active/users.local [ renamed ]
> - copy /etc/selinux/?/booleans.local into 
> /etc/selinux/?/modules/active/booleans.local
> - install base module into /etc/selinux/?/modules/active/base.pp (is 
> this managed by rpm?)
Actually that reminds me that I just changed the user parser to disallow 
whitespace and multiple lines in the MLS portion of local.users  
(unfortunate).

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ SEMANAGE ] Install seusers, rename some files

[Ivan Gyurdiev]

Ivan Gyurdiev wrote:
>
>> I'm not sure about this; at present, it has the side effect that a
>> semodule -b base.pp will fail upon the attempt to copy seusers (because
>> there isn't one in the sandbox presently, not even an empty stub).
> Yes, the seusers from /etc/selinux/strict/seusers have to get in the 
> sandbox somehow...
> I'm not entirely sure how, but I think Tresys has indicated that 
> should occur through the APIs, rather than by copying it in.
>
> This is only necessary for migration...
So, the question of what should be done about this still stands - 
Joshua? From the point of view of libsemanage, a commit with a missing 
seusers file should fail, because the store should hold the 
authoritative copy of this file, and it's an important file, so it seems 
like lack of it should be considered fatal...there should at least be a 
default entry?

How will the store be initialized? Seems like this should possibly be 
done in the libsemanage post script? Any callers of the library should 
already have the store be in good state for use.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ SEMANAGE ] Install seusers, rename some files

[Joshua Brindle]

Ivan Gyurdiev wrote:
> Ivan Gyurdiev wrote:
> 
>>
>>> I'm not sure about this; at present, it has the side effect that a
>>> semodule -b base.pp will fail upon the attempt to copy seusers (because
>>> there isn't one in the sandbox presently, not even an empty stub).
>>
>> Yes, the seusers from /etc/selinux/strict/seusers have to get in the 
>> sandbox somehow...
>> I'm not entirely sure how, but I think Tresys has indicated that 
>> should occur through the APIs, rather than by copying it in.
>>
>> This is only necessary for migration...
> 
> So, the question of what should be done about this still stands - 
> Joshua? From the point of view of libsemanage, a commit with a missing 
> seusers file should fail, because the store should hold the 
> authoritative copy of this file, and it's an important file, so it seems 
> like lack of it should be considered fatal...there should at least be a 
> default entry?
> 
This is really saying that libsemanage knows what libselinux needs, 
which I'm not sure is appropriate, because libselinux might not be 
looking in seuser at all for mappings, it could be looking in LDAP.

I don't think this is a fatal error during commit.

> How will the store be initialized? Seems like this should possibly be 
> done in the libsemanage post script? Any callers of the library should 
> already have the store be in good state for use.
> 
> 
This is a question we should be answering soon. There are a couple 
options but because of time constraints on FC5 test 1 it will probably 
be the base rpm putting stuff in there directly, at least for now. The 
ideal way would be to bootstrap the whole thing through libsemanage but 
there is bit of work to be done before this is possible.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ SEMANAGE ] Install seusers, rename some files

[Stephen Smalley]

On Tue, 2005-11-01 at 16:02 -0500, Joshua Brindle wrote:
> This is a question we should be answering soon. There are a couple 
> options but because of time constraints on FC5 test 1 it will probably 
> be the base rpm putting stuff in there directly, at least for now. The 
> ideal way would be to bootstrap the whole thing through libsemanage but 
> there is bit of work to be done before this is possible.

I don't really see the point in supporting it in the libsemanage API
when it is purely a migration-time import of existing data.  The module
case is different in that the API already has to support importing an
entire module, but the local APIs are properly at the individual record
level.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ SEMANAGE ] Install seusers, rename some files

[Ivan Gyurdiev]

>>>
>>> Yes, the seusers from /etc/selinux/strict/seusers have to get in the 
>>> sandbox somehow...
>>> I'm not entirely sure how, but I think Tresys has indicated that 
>>> should occur through the APIs, rather than by copying it in.
>>>
>>> This is only necessary for migration...
>>
>> So, the question of what should be done about this still stands - 
>> Joshua? From the point of view of libsemanage, a commit with a 
>> missing seusers file should fail, because the store should hold the 
>> authoritative copy of this file, and it's an important file, so it 
>> seems like lack of it should be considered fatal...there should at 
>> least be a default entry?
>>
> This is really saying that libsemanage knows what libselinux needs, 
> which I'm not sure is appropriate, because libselinux might not be 
> looking in seuser at all for mappings, it could be looking in LDAP.
I think they should be looking in the same place for modifications to 
the seuser database to work as expected...
I'm not sure what the meaning of : selinux_usersconf_path is, if 
libselinux is looking in LDAP.
> I don't think this is a fatal error during commit.
That can be changed...

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [ SEMANAGE ] Install seusers, rename some files

[Joshua Brindle]

Ivan Gyurdiev wrote:
> 
>>>>
>>>> Yes, the seusers from /etc/selinux/strict/seusers have to get in the 
>>>> sandbox somehow...
>>>> I'm not entirely sure how, but I think Tresys has indicated that 
>>>> should occur through the APIs, rather than by copying it in.
>>>>
>>>> This is only necessary for migration...
>>>
>>>
>>> So, the question of what should be done about this still stands - 
>>> Joshua? From the point of view of libsemanage, a commit with a 
>>> missing seusers file should fail, because the store should hold the 
>>> authoritative copy of this file, and it's an important file, so it 
>>> seems like lack of it should be considered fatal...there should at 
>>> least be a default entry?
>>>
>> This is really saying that libsemanage knows what libselinux needs, 
>> which I'm not sure is appropriate, because libselinux might not be 
>> looking in seuser at all for mappings, it could be looking in LDAP.
> 
> I think they should be looking in the same place for modifications to 
> the seuser database to work as expected...
> I'm not sure what the meaning of : selinux_usersconf_path is, if 
> libselinux is looking in LDAP.

If LDAP is in use it should be authoritative, thus no local file. 
Clearly libselinux has no support for this yet so how it would be 
configured is unclear but I'm pretty sure LDAP should be the only source 
of mapping if it is in use.
> 
>> I don't think this is a fatal error during commit.
> 
> That can be changed...
> 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.