New version of Targeted Reference policy is available to play with.

New version of Targeted Reference policy is available to play with.

[Daniel J Walsh]

ftp://people.redhat.com/dwalsh/SELinux/refpolicy/selinux-policy-2.0.0-0.3.src.rpm


-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: New version of Targeted Reference policy is available to play with.

[Stephen Smalley]

On Thu, 2005-11-10 at 09:16 -0500, Daniel J Walsh wrote:
> ftp://people.redhat.com/dwalsh/SELinux/refpolicy/selinux-policy-2.0.0-0.3.src.rpm

Caveat:  I tried updating to this policy from the current rawhide
targeted policy, and while it appeared to do the right things (modulo
some relabeling, see my other posting for the log file), when it
finished, rpm seems to have removed the generated policy files
(policy.20, file_contexts, seusers) that are now managed via
libsemanage.  Thus, a reboot immediately fails with no policy.

I think that what is happening is that rpm sees that these files _were_
owned by the previous targeted policy package and are no longer provided
by this new policy package (since they are now generated via
libsemanage), so rpm cheerfully deletes them as no longer being needed.
Can we suppress that removal in some way?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: New version of Targeted Reference policy is available to play with.

[Stephen Smalley]

On Thu, 2005-11-10 at 10:50 -0500, Stephen Smalley wrote:
> On Thu, 2005-11-10 at 09:16 -0500, Daniel J Walsh wrote:
> > ftp://people.redhat.com/dwalsh/SELinux/refpolicy/selinux-policy-2.0.0-0.3.src.rpm
> 
> Caveat:  I tried updating to this policy from the current rawhide
> targeted policy, and while it appeared to do the right things (modulo
> some relabeling, see my other posting for the log file), when it
> finished, rpm seems to have removed the generated policy files
> (policy.20, file_contexts, seusers) that are now managed via
> libsemanage.  Thus, a reboot immediately fails with no policy.
> 
> I think that what is happening is that rpm sees that these files _were_
> owned by the previous targeted policy package and are no longer provided
> by this new policy package (since they are now generated via
> libsemanage), so rpm cheerfully deletes them as no longer being needed.
> Can we suppress that removal in some way?

Hmmm...so I tried regenerating the generated files from the sandbox via
semodule -B, but I get the following:
Committing changes:
libsemanage.parse_assert_space: missing whitespace
(/etc/selinux/targeted/modules/tmp/seusers: 1):
root:root:s0-s0:c0.c255
libsemanage.seuser_parse: could not parse seuser record
libsemanage.dbase_file_cache: could not cache file database
libsemanage.enter_ro: could not enter read-only section
libsemanage.semanage_commit_components: could not commit local
modifications
Failed!

This is with the stock seusers file from the targeted policy that was
copied into the sandbox by the %post script.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: New version of Targeted Reference policy is available to play with.

[Stephen Smalley]

On Thu, 2005-11-10 at 10:57 -0500, Stephen Smalley wrote:
> Hmmm...so I tried regenerating the generated files from the sandbox via
> semodule -B, but I get the following:
> Committing changes:
> libsemanage.parse_assert_space: missing whitespace
> (/etc/selinux/targeted/modules/tmp/seusers: 1):
> root:root:s0-s0:c0.c255
> libsemanage.seuser_parse: could not parse seuser record
> libsemanage.dbase_file_cache: could not cache file database
> libsemanage.enter_ro: could not enter read-only section
> libsemanage.semanage_commit_components: could not commit local
> modifications
> Failed!
> 
> This is with the stock seusers file from the targeted policy that was
> copied into the sandbox by the %post script.

Ok, I see what is happening in the code.  It checks
is_selinux_mls_enabled() to decide whether to expect the MLS range
field, and since SELinux is now disabled on this system (due to reboot
w/o an installed policy), that returns false.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: New version of Targeted Reference policy is available to play with.

[Stephen Smalley]

On Thu, 2005-11-10 at 11:00 -0500, Stephen Smalley wrote:
> Ok, I see what is happening in the code.  It checks
> is_selinux_mls_enabled() to decide whether to expect the MLS range
> field, and since SELinux is now disabled on this system (due to reboot
> w/o an installed policy), that returns false.

This raises the general question of the extent to which semanage needs
to work when SELinux is disabled or is enabled but running a very
different policy from the policy being managed for bootstrapping and
upgrading or conversion purposes. It already supports specifying the
store and disabling reloads, so that provides much of the necessary
flexibility.  Possibly src/seusers_file.c and src/users_file.c should be
using the MLS enabled status of the base policy rather than the current
system MLS enabled status.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

New version of Targeted Reference policy is available to play with.

[Daniel J Walsh]

ftp://people.redhat.com/dwalsh/SELinux/refpolicy/selinux-policy-2.0.0-0.4.src.rpm 


This fixes the spec file to leave the policy.20 file.

-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.