* Stability of libsepol and libsemanage? @ 2005-11-09 13:40 Thomas Bleher 2005-11-09 13:52 ` Stephen Smalley 0 siblings, 1 reply; 6+ messages in thread From: Thomas Bleher @ 2005-11-09 13:40 UTC (permalink / raw) To: SELinux ML I'm currently filing wishlist bugs in the SUSE bugzilla against various packages regarding SELinux support. SUSE is currently missing libsepol and libsemanage, so I wondered if it is safe to add the development versions now, considering the many patches that are applied now. Are the libraries as they are now safe to be used in a release or will there be incompatible changes so it would be better to wait for a while? Thanks for your answer, Thomas -- http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA D09E C562 2BAE B2F4 ABE7 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Stability of libsepol and libsemanage? 2005-11-09 13:40 Stability of libsepol and libsemanage? Thomas Bleher @ 2005-11-09 13:52 ` Stephen Smalley 2005-11-09 14:06 ` Stephen Smalley 0 siblings, 1 reply; 6+ messages in thread From: Stephen Smalley @ 2005-11-09 13:52 UTC (permalink / raw) To: Thomas Bleher; +Cc: SELinux ML On Wed, 2005-11-09 at 14:40 +0100, Thomas Bleher wrote: > I'm currently filing wishlist bugs in the SUSE bugzilla against various > packages regarding SELinux support. SUSE is currently missing libsepol > and libsemanage, so I wondered if it is safe to add the development > versions now, considering the many patches that are applied now. > Are the libraries as they are now safe to be used in a release or will > there be incompatible changes so it would be better to wait for a while? We only guarantee ABI stability for nsa.gov releases, not sourceforge CVS snapshots. So, if you want such a guarantee, you should wait. It likely won't be long now until we make an updated release. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Stability of libsepol and libsemanage? 2005-11-09 13:52 ` Stephen Smalley @ 2005-11-09 14:06 ` Stephen Smalley [not found] ` <43721FCE.8050308@cornell.edu> 0 siblings, 1 reply; 6+ messages in thread From: Stephen Smalley @ 2005-11-09 14:06 UTC (permalink / raw) To: Thomas Bleher; +Cc: Russell Coker, Manoj Srivastava, SELinux ML On Wed, 2005-11-09 at 08:52 -0500, Stephen Smalley wrote: > On Wed, 2005-11-09 at 14:40 +0100, Thomas Bleher wrote: > > I'm currently filing wishlist bugs in the SUSE bugzilla against various > > packages regarding SELinux support. SUSE is currently missing libsepol > > and libsemanage, so I wondered if it is safe to add the development > > versions now, considering the many patches that are applied now. > > Are the libraries as they are now safe to be used in a release or will > > there be incompatible changes so it would be better to wait for a while? > > We only guarantee ABI stability for nsa.gov releases, not sourceforge > CVS snapshots. So, if you want such a guarantee, you should wait. > It likely won't be long now until we make an updated release. Note btw that many of the SELinux userland patches have also changed (see the Fedora public CVS tree), e.g. sysvinit-selinux.patch now takes advantage of a new libselinux function to handle all of the details, pam_selinux and patches for sshd, crond, etc now use getseuserbyname() to map the Linux user to a SELinux user and (optionally) level prior to calling get_default_context or get_ordered_context_list, etc. Hence, when you update to the next release of the libraries, you should also revisit your ports of the SELinux userland patches for your distros. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 6+ messages in thread
[parent not found: <43721FCE.8050308@cornell.edu>]
[parent not found: <1131552597.20591.554.camel@moss-spartans.epoch.ncsc.mil>]
* MLS translations for libsemanage and libsepol [not found] ` <1131552597.20591.554.camel@moss-spartans.epoch.ncsc.mil> @ 2005-11-09 22:31 ` Ivan Gyurdiev 2005-11-10 12:30 ` Stephen Smalley 0 siblings, 1 reply; 6+ messages in thread From: Ivan Gyurdiev @ 2005-11-09 22:31 UTC (permalink / raw) To: Stephen Smalley; +Cc: dwalsh, selinux, SELinux-dev > > > seusers is a little unclear; it presently has to use the raw definitions > because it is only a partial context (just the range), so it isn't going > through conversion. GUI for seusers modification would likely apply > translation itself for presentation to admins. > What's the justification for doing translations in libselinux (the library), while placing that responsibility on the caller for libsemanage, and sepol. Maybe we should be doing translations for: - policydb_context_isvalid - any new functions added to libsepol to check validity and dominance of mls ranges (for seusers) - se[pol/manage]_context_from_string - se[pol/manage]_context_to_string - se[pol/manage]_context_get_mls - se[pol/manage]_context_set_mls - se[pol/manage]_user_get_mlslevel (?? - are categories supposed to be rejected here) - se[pol/manage]_user_set_mlslevel (?? - are they actually rejected, or just ignored..hmm) - se[pol/manage]_user_get_mlsrange - se[pol/manage]_user_set_mlsrange - se[pol/manage]_seuser_get_mlsrange - se[pol/manage]_seuser_set_mlsrange -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: MLS translations for libsemanage and libsepol 2005-11-09 22:31 ` MLS translations for libsemanage and libsepol Ivan Gyurdiev @ 2005-11-10 12:30 ` Stephen Smalley 2005-11-10 12:42 ` Stephen Smalley 0 siblings, 1 reply; 6+ messages in thread From: Stephen Smalley @ 2005-11-10 12:30 UTC (permalink / raw) To: Ivan Gyurdiev; +Cc: dwalsh, selinux, SELinux-dev On Wed, 2005-11-09 at 17:31 -0500, Ivan Gyurdiev wrote: > What's the justification for doing translations in libselinux (the > library), while placing that responsibility on the caller for > libsemanage, and sepol. Maybe we should be doing translations for: Translation is done in the context of a system's running policy, whereas libsepol and libsemanage are operating on a policy object that may differ from the system's running policy. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: MLS translations for libsemanage and libsepol 2005-11-10 12:30 ` Stephen Smalley @ 2005-11-10 12:42 ` Stephen Smalley 0 siblings, 0 replies; 6+ messages in thread From: Stephen Smalley @ 2005-11-10 12:42 UTC (permalink / raw) To: Ivan Gyurdiev; +Cc: dwalsh, selinux, SELinux-dev On Thu, 2005-11-10 at 07:30 -0500, Stephen Smalley wrote: > On Wed, 2005-11-09 at 17:31 -0500, Ivan Gyurdiev wrote: > > What's the justification for doing translations in libselinux (the > > library), while placing that responsibility on the caller for > > libsemanage, and sepol. Maybe we should be doing translations for: > > Translation is done in the context of a system's running policy, whereas > libsepol and libsemanage are operating on a policy object that may > differ from the system's running policy. Note that this precisely follows the division between libselinux and the other two libraries; libselinux is the interface for applications running on a SELinux host, while libsepol allows manipulation (including building) of policies on even non-SELinux (or SELinux with different running policy) hosts. libsemanage lives in the middle, managing policy on a SELinux host but needing to deal with policies before they are loaded into the system, so it cannot assume that e.g. contexts it is handling are necessarily valid yet for the running policy. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2005-11-10 12:42 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-11-09 13:40 Stability of libsepol and libsemanage? Thomas Bleher
2005-11-09 13:52 ` Stephen Smalley
2005-11-09 14:06 ` Stephen Smalley
[not found] ` <43721FCE.8050308@cornell.edu>
[not found] ` <1131552597.20591.554.camel@moss-spartans.epoch.ncsc.mil>
2005-11-09 22:31 ` MLS translations for libsemanage and libsepol Ivan Gyurdiev
2005-11-10 12:30 ` Stephen Smalley
2005-11-10 12:42 ` Stephen Smalley
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.