* New version of Targeted Reference policy is available to play with. @ 2005-11-10 14:16 Daniel J Walsh 2005-11-10 15:50 ` Stephen Smalley 2005-11-10 20:04 ` Daniel J Walsh 0 siblings, 2 replies; 6+ messages in thread From: Daniel J Walsh @ 2005-11-10 14:16 UTC (permalink / raw) To: SE Linux ftp://people.redhat.com/dwalsh/SELinux/refpolicy/selinux-policy-2.0.0-0.3.src.rpm -- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: New version of Targeted Reference policy is available to play with. 2005-11-10 14:16 New version of Targeted Reference policy is available to play with Daniel J Walsh @ 2005-11-10 15:50 ` Stephen Smalley 2005-11-10 15:57 ` Stephen Smalley 2005-11-10 20:04 ` Daniel J Walsh 1 sibling, 1 reply; 6+ messages in thread From: Stephen Smalley @ 2005-11-10 15:50 UTC (permalink / raw) To: Daniel J Walsh; +Cc: SELinux-dev, SE Linux On Thu, 2005-11-10 at 09:16 -0500, Daniel J Walsh wrote: > ftp://people.redhat.com/dwalsh/SELinux/refpolicy/selinux-policy-2.0.0-0.3.src.rpm Caveat: I tried updating to this policy from the current rawhide targeted policy, and while it appeared to do the right things (modulo some relabeling, see my other posting for the log file), when it finished, rpm seems to have removed the generated policy files (policy.20, file_contexts, seusers) that are now managed via libsemanage. Thus, a reboot immediately fails with no policy. I think that what is happening is that rpm sees that these files _were_ owned by the previous targeted policy package and are no longer provided by this new policy package (since they are now generated via libsemanage), so rpm cheerfully deletes them as no longer being needed. Can we suppress that removal in some way? -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: New version of Targeted Reference policy is available to play with. 2005-11-10 15:50 ` Stephen Smalley @ 2005-11-10 15:57 ` Stephen Smalley 2005-11-10 16:00 ` Stephen Smalley 0 siblings, 1 reply; 6+ messages in thread From: Stephen Smalley @ 2005-11-10 15:57 UTC (permalink / raw) To: Daniel J Walsh; +Cc: Ivan Gyurdiev, SELinux-dev, SE Linux On Thu, 2005-11-10 at 10:50 -0500, Stephen Smalley wrote: > On Thu, 2005-11-10 at 09:16 -0500, Daniel J Walsh wrote: > > ftp://people.redhat.com/dwalsh/SELinux/refpolicy/selinux-policy-2.0.0-0.3.src.rpm > > Caveat: I tried updating to this policy from the current rawhide > targeted policy, and while it appeared to do the right things (modulo > some relabeling, see my other posting for the log file), when it > finished, rpm seems to have removed the generated policy files > (policy.20, file_contexts, seusers) that are now managed via > libsemanage. Thus, a reboot immediately fails with no policy. > > I think that what is happening is that rpm sees that these files _were_ > owned by the previous targeted policy package and are no longer provided > by this new policy package (since they are now generated via > libsemanage), so rpm cheerfully deletes them as no longer being needed. > Can we suppress that removal in some way? Hmmm...so I tried regenerating the generated files from the sandbox via semodule -B, but I get the following: Committing changes: libsemanage.parse_assert_space: missing whitespace (/etc/selinux/targeted/modules/tmp/seusers: 1): root:root:s0-s0:c0.c255 libsemanage.seuser_parse: could not parse seuser record libsemanage.dbase_file_cache: could not cache file database libsemanage.enter_ro: could not enter read-only section libsemanage.semanage_commit_components: could not commit local modifications Failed! This is with the stock seusers file from the targeted policy that was copied into the sandbox by the %post script. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: New version of Targeted Reference policy is available to play with. 2005-11-10 15:57 ` Stephen Smalley @ 2005-11-10 16:00 ` Stephen Smalley 2005-11-10 17:58 ` Stephen Smalley 0 siblings, 1 reply; 6+ messages in thread From: Stephen Smalley @ 2005-11-10 16:00 UTC (permalink / raw) To: Daniel J Walsh; +Cc: Ivan Gyurdiev, SELinux-dev, SE Linux On Thu, 2005-11-10 at 10:57 -0500, Stephen Smalley wrote: > Hmmm...so I tried regenerating the generated files from the sandbox via > semodule -B, but I get the following: > Committing changes: > libsemanage.parse_assert_space: missing whitespace > (/etc/selinux/targeted/modules/tmp/seusers: 1): > root:root:s0-s0:c0.c255 > libsemanage.seuser_parse: could not parse seuser record > libsemanage.dbase_file_cache: could not cache file database > libsemanage.enter_ro: could not enter read-only section > libsemanage.semanage_commit_components: could not commit local > modifications > Failed! > > This is with the stock seusers file from the targeted policy that was > copied into the sandbox by the %post script. Ok, I see what is happening in the code. It checks is_selinux_mls_enabled() to decide whether to expect the MLS range field, and since SELinux is now disabled on this system (due to reboot w/o an installed policy), that returns false. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: New version of Targeted Reference policy is available to play with. 2005-11-10 16:00 ` Stephen Smalley @ 2005-11-10 17:58 ` Stephen Smalley 0 siblings, 0 replies; 6+ messages in thread From: Stephen Smalley @ 2005-11-10 17:58 UTC (permalink / raw) To: Daniel J Walsh; +Cc: Ivan Gyurdiev, SELinux-dev, SE Linux On Thu, 2005-11-10 at 11:00 -0500, Stephen Smalley wrote: > Ok, I see what is happening in the code. It checks > is_selinux_mls_enabled() to decide whether to expect the MLS range > field, and since SELinux is now disabled on this system (due to reboot > w/o an installed policy), that returns false. This raises the general question of the extent to which semanage needs to work when SELinux is disabled or is enabled but running a very different policy from the policy being managed for bootstrapping and upgrading or conversion purposes. It already supports specifying the store and disabling reloads, so that provides much of the necessary flexibility. Possibly src/seusers_file.c and src/users_file.c should be using the MLS enabled status of the base policy rather than the current system MLS enabled status. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 6+ messages in thread
* New version of Targeted Reference policy is available to play with. 2005-11-10 14:16 New version of Targeted Reference policy is available to play with Daniel J Walsh 2005-11-10 15:50 ` Stephen Smalley @ 2005-11-10 20:04 ` Daniel J Walsh 1 sibling, 0 replies; 6+ messages in thread From: Daniel J Walsh @ 2005-11-10 20:04 UTC (permalink / raw) To: Stephen Smalley; +Cc: SE Linux ftp://people.redhat.com/dwalsh/SELinux/refpolicy/selinux-policy-2.0.0-0.4.src.rpm This fixes the spec file to leave the policy.20 file. -- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2005-11-10 20:04 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2005-11-10 14:16 New version of Targeted Reference policy is available to play with Daniel J Walsh 2005-11-10 15:50 ` Stephen Smalley 2005-11-10 15:57 ` Stephen Smalley 2005-11-10 16:00 ` Stephen Smalley 2005-11-10 17:58 ` Stephen Smalley 2005-11-10 20:04 ` Daniel J Walsh
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.