writing refpolicy modules...

writing refpolicy modules...

[Joy Latten]

We (Deb and I) have a few questions in regards to creating new modules
within refpolicy architecture. We have installed FC5-Test2 and we
are converting old policy to the new refpolicy format.

Is it ok to use the selinux-policy source rpm from rawhide as
a source tree to build a refpolicy module? I understand that the
necessary headers to build independent of source are not yet available.

Do all refpolicy modules need a require and/or optional statement when
using types/attributes from other modules? I ask this because I had
downloaded the rawhide selinux-policy source rpm and had been using the
modules' code as a guideline for writing a refpolicy module. I noticed
that none of the modules used the require/optional statement, but then
they are all compiled as part of the base policy. So, does this mean any
modules written outside of the base module, must use the require or
optional statements if they want to use attributes or types in the base
module? Because my module is not part of the base module.

Also, if I am using interfaces from the base module, are there any
requirements my module must meet? For example, the type domain is now
used as domain_type(), an interface. So, is my policy ok by just
referring to this interface or must I do something else?

Thanks!

Regards,
Joy and Deb



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: writing refpolicy modules...

[Stephen Smalley]

On Mon, 2006-02-06 at 12:09 -0600, Joy Latten wrote:
> We (Deb and I) have a few questions in regards to creating new modules
> within refpolicy architecture. We have installed FC5-Test2 and we
> are converting old policy to the new refpolicy format.
> 
> Is it ok to use the selinux-policy source rpm from rawhide as
> a source tree to build a refpolicy module? I understand that the
> necessary headers to build independent of source are not yet available.

Looks like there is a selinux-policy-devel in rawhide.  Installs
under /usr/share/selinux/refpolicy.  So it might be worth updating to
the rawhide selinux-policy and installing selinux-policy-devel to try it
out.

> Do all refpolicy modules need a require and/or optional statement when
> using types/attributes from other modules? I ask this because I had
> downloaded the rawhide selinux-policy source rpm and had been using the
> modules' code as a guideline for writing a refpolicy module. I noticed
> that none of the modules used the require/optional statement, but then
> they are all compiled as part of the base policy. So, does this mean any
> modules written outside of the base module, must use the require or
> optional statements if they want to use attributes or types in the base
> module? Because my module is not part of the base module.

refpolicy modules should be using support macros that expand to require
statements if they are needed, IIUC.  So they can be built either way.  

> Also, if I am using interfaces from the base module, are there any
> requirements my module must meet? For example, the type domain is now
> used as domain_type(), an interface. So, is my policy ok by just
> referring to this interface or must I do something else?

You should be able to use the interfaces provided by the refpolicy, and
those macros will expand to include all necessary require statements for
the interface.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: writing refpolicy modules...

[Stephen Smalley]

On Mon, 2006-02-06 at 13:49 -0500, Stephen Smalley wrote:
> On Mon, 2006-02-06 at 12:09 -0600, Joy Latten wrote:
> > We (Deb and I) have a few questions in regards to creating new modules
> > within refpolicy architecture. We have installed FC5-Test2 and we
> > are converting old policy to the new refpolicy format.
> > 
> > Is it ok to use the selinux-policy source rpm from rawhide as
> > a source tree to build a refpolicy module? I understand that the
> > necessary headers to build independent of source are not yet available.
> 
> Looks like there is a selinux-policy-devel in rawhide.  Installs
> under /usr/share/selinux/refpolicy.  So it might be worth updating to
> the rawhide selinux-policy and installing selinux-policy-devel to try it
> out.

Looks like there is a simple policygentool script
under /usr/share/selinux/refpolicy that can be used to generate a
stub .te, .fc, and .if file for a new module/domain (although I assume
that it is a mistake that the module name is left as TEMPLATE in the
generated file), and then you can run make on the Makefile in that
directory to generate a policy module package.  At which point you can
insert it via semodule -i.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: writing refpolicy modules...

[Daniel J Walsh]

Stephen Smalley wrote:
> On Mon, 2006-02-06 at 13:49 -0500, Stephen Smalley wrote:
>   
>> On Mon, 2006-02-06 at 12:09 -0600, Joy Latten wrote:
>>     
>>> We (Deb and I) have a few questions in regards to creating new modules
>>> within refpolicy architecture. We have installed FC5-Test2 and we
>>> are converting old policy to the new refpolicy format.
>>>
>>> Is it ok to use the selinux-policy source rpm from rawhide as
>>> a source tree to build a refpolicy module? I understand that the
>>> necessary headers to build independent of source are not yet available.
>>>       
>> Looks like there is a selinux-policy-devel in rawhide.  Installs
>> under /usr/share/selinux/refpolicy.  So it might be worth updating to
>> the rawhide selinux-policy and installing selinux-policy-devel to try it
>> out.
>>     
>
> Looks like there is a simple policygentool script
> under /usr/share/selinux/refpolicy that can be used to generate a
> stub .te, .fc, and .if file for a new module/domain (although I assume
> that it is a mistake that the module name is left as TEMPLATE in the
> generated file), and then you can run make on the Makefile in that
> directory to generate a policy module package.  At which point you can
> insert it via semodule -i.
>
>   
http://fedoraproject.org/wiki/SELinux/FAQ/ProposedAdditions

Has a description of how to use selinux-policy-devel  The TEMPLATE 
should be TEMPLATETYPE,
which will be in RawHide tonight.

Now I would like to write a audit2allow extension to look for matches in 
/usr/share/selinux/refpolicy and use these macros rather then straight 
audit rules.


Dan



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: writing refpolicy modules...

[Karl MacMillan]

> -----Original Message-----
> From: Daniel J Walsh [mailto:dwalsh@redhat.com]
> Sent: Monday, February 06, 2006 2:20 PM
> To: Stephen Smalley
> Cc: Joy Latten; selinux@tycho.nsa.gov; dvelarde@us.ibm.com; selinux-
> dev@tresys.com
> Subject: Re: writing refpolicy modules...
> 
> Stephen Smalley wrote:
> > On Mon, 2006-02-06 at 13:49 -0500, Stephen Smalley wrote:
> >
> >> On Mon, 2006-02-06 at 12:09 -0600, Joy Latten wrote:
> >>
> >>> We (Deb and I) have a few questions in regards to creating new modules
> >>> within refpolicy architecture. We have installed FC5-Test2 and we
> >>> are converting old policy to the new refpolicy format.
> >>>
> >>> Is it ok to use the selinux-policy source rpm from rawhide as
> >>> a source tree to build a refpolicy module? I understand that the
> >>> necessary headers to build independent of source are not yet
> available.
> >>>
> >> Looks like there is a selinux-policy-devel in rawhide.  Installs
> >> under /usr/share/selinux/refpolicy.  So it might be worth updating to
> >> the rawhide selinux-policy and installing selinux-policy-devel to try
> it
> >> out.
> >>
> >
> > Looks like there is a simple policygentool script
> > under /usr/share/selinux/refpolicy that can be used to generate a
> > stub .te, .fc, and .if file for a new module/domain (although I assume
> > that it is a mistake that the module name is left as TEMPLATE in the
> > generated file), and then you can run make on the Makefile in that
> > directory to generate a policy module package.  At which point you can
> > insert it via semodule -i.
> >
> >
> http://fedoraproject.org/wiki/SELinux/FAQ/ProposedAdditions
> 
> Has a description of how to use selinux-policy-devel  The TEMPLATE
> should be TEMPLATETYPE,
> which will be in RawHide tonight.
> 
> Now I would like to write a audit2allow extension to look for matches in
> /usr/share/selinux/refpolicy and use these macros rather then straight
> audit rules.
> 

We are working on this (sort of like audit2interface) for setools. It turns
out to be a _very_ hard problem if you want to propose a minimal set of
interfaces to cover a set of audit messages (it is similar to many packing
problems). We have a solution using some simple heuristics that keeps the
problem from exploding computational. Should be available in some future
setools release, but probably not for a while.

Karl

------
Karl MacMillan
Tresys Technology
http://www.tresys.com

> 
> Dan




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.