From: Ivan Gyurdiev <ivg2@cornell.edu>
To: Ivan Gyurdiev <ivg2@cornell.edu>
Cc: Stephen Smalley <sds@tycho.nsa.gov>,
Daniel J Walsh <dwalsh@redhat.com>,
selinux@tycho.nsa.gov, Joshua Brindle <jbrindle@tresys.com>,
Karl MacMillan <kmacmillan@tresys.com>,
Frank Mayer <mayerf@tresys.com>,
chris pebenito <cpebenito@tresys.com>,
James Morris <jmorris@redhat.com>,
Chad Sellers <csellers@tresys.com>
Subject: Re: [ SELINUX ] [ POLICYCOREUTILS ] Convert setsebool -P to use libsemanage
Date: Fri, 04 Nov 2005 16:59:55 -0500 [thread overview]
Message-ID: <436BD9DB.2050700@cornell.edu> (raw)
In-Reply-To: <436BD878.1070300@cornell.edu>
Ivan Gyurdiev wrote:
> Stephen Smalley wrote:
>> On Fri, 2005-11-04 at 11:12 -0500, Stephen Smalley wrote:
>>
>>> Then the options would seem to be:
>>> 1) Have libsemanage internally detect whether the sandbox has been
>>> initialized, and if not, fall back to calling the libselinux
>>> function to
>>> manipulate booleans.local, or
>>> 2) Have libsemanage provide an interface (is_semanage_enabled?) to
>>> allow
>>> setsebool to detect whether the system is "managed" via libsemanage
>>> (i.e. has the sandbox been initialized via prior semodule -b), and have
>>> setsebool use that interface and fall back to calling the libselinux
>>> function if it is not enabled.
>>>
>>> Note that libsemanage (and thus semanage.conf) will be present on the
>>> system regardless of whether or not the system is "managed" using it
>>> since policycoreutils depends on it now.
>>>
>>
>> I think I favor #1, as this is a legacy issue that is only going to
>> exist for booleans. When someone creates a setseport or setseinterface
>> or ..., they are just going to use the semanage interfaces, and if the
>> system isn't managed via libsemanage, it simply isn't going to work
>> (i.e. there is no fallback mechanism, as such support didn't exist prior
>> to the introduction of libsemanage). Thus, setsebool should likewise
>> unconditionally use the semanage interfaces, and libsemanage should
>> internally route the requests to the old libselinux interfaces if the
>> system isn't managed for legacy support.
>>
> I'm not sure that this makes sense... let's get to back to the reason
> _why_ the sandbox is uninitialized - it's because we haven't copied
> the proper files into the sandbox yet. Falling back to other functions
> seems equivalent to doing the initialization ourselves - copy the
> proper files into the sandbox. We could just do that instead, but I'm
> not sure it's a good idea. It would require the same privileges....
I am also wondering whether migration code should go into the
libsemanage %post script, rather than the policy %post script.
Then we don't have to deal with this issue, because the fact that you're
linking to the library, means it's installed, and %post was executed -
haven't thought much about this, so maybe it's a stupid idea, but ...
what do you think?
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2005-11-04 21:59 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <436915FB.3040500@tresys.com>
[not found] ` <1131027033.23420.30.camel@moss-spartans.epoch.ncsc.mil>
[not found] ` <436A86E6.4040205@cornell.edu>
2005-11-04 5:55 ` [ SELINUX ] [ POLICYCOREUTILS ] Convert setsebool -P to use libsemanage Ivan Gyurdiev
2005-11-04 13:20 ` Stephen Smalley
2005-11-04 14:22 ` Ivan Gyurdiev
2005-11-04 14:16 ` Stephen Smalley
2005-11-05 7:06 ` [ LIBSEMANAGE ] Runtime control over preservebools argument Ivan Gyurdiev
2005-11-07 14:38 ` Joshua Brindle
2005-11-07 15:12 ` Daniel J Walsh
2005-11-04 14:57 ` [ SELINUX ] [ POLICYCOREUTILS ] Convert setsebool -P to use libsemanage Stephen Smalley
2005-11-04 15:35 ` Ivan Gyurdiev
2005-11-04 14:59 ` Stephen Smalley
2005-11-04 15:43 ` Ivan Gyurdiev
2005-11-04 15:33 ` Stephen Smalley
2005-11-04 16:08 ` Daniel J Walsh
2005-11-04 16:12 ` Stephen Smalley
2005-11-04 16:31 ` Stephen Smalley
2005-11-04 17:08 ` Ivan Gyurdiev
2005-11-04 16:59 ` Stephen Smalley
2005-11-04 17:04 ` Stephen Smalley
2005-11-04 17:11 ` Stephen Smalley
2005-11-04 21:54 ` Ivan Gyurdiev
2005-11-04 21:59 ` Ivan Gyurdiev [this message]
2005-11-07 13:48 ` Stephen Smalley
2005-11-07 14:56 ` Stephen Smalley
2005-11-07 15:09 ` Stephen Smalley
2005-11-07 16:40 ` Ivan Gyurdiev
2005-11-07 16:33 ` Stephen Smalley
2005-11-04 15:39 ` Stephen Smalley
2005-11-04 16:05 ` Daniel J Walsh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=436BD9DB.2050700@cornell.edu \
--to=ivg2@cornell.edu \
--cc=cpebenito@tresys.com \
--cc=csellers@tresys.com \
--cc=dwalsh@redhat.com \
--cc=jbrindle@tresys.com \
--cc=jmorris@redhat.com \
--cc=kmacmillan@tresys.com \
--cc=mayerf@tresys.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.