We need a tool to extract the file context contents out of a policy package.

We need a tool to extract the file context contents out of a policy package.

[Daniel J Walsh]

If we had this we could do something like

fixfiles -P mypolicy.pp

And it would restorecon over the file context.

Dan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: We need a tool to extract the file context contents out of a policy package.

[Ivan Gyurdiev]

Daniel J Walsh wrote:
> If we had this we could do something like
>
> fixfiles -P mypolicy.pp
>
> And it would restorecon over the file context.
- what if the contexts used are defined in another module that isn't 
linked yet?
- what if the contexts are in this module, but it isn't loaded?
- what about genhomedircon processing?

Why can't we do this in semanage_commit()?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: We need a tool to extract the file context contents out of a policy package.

[Daniel J Walsh]

Ivan Gyurdiev wrote:
> Daniel J Walsh wrote:
>> If we had this we could do something like
>>
>> fixfiles -P mypolicy.pp
>>
>> And it would restorecon over the file context.
> - what if the contexts used are defined in another module that isn't 
> linked yet? 
Then it will not work, but I don't see that as a real problem.
> - what if the contexts are in this module, but it isn't loaded?
Ditto
>
> - what about genhomedircon processing?
>
Perhaps, but usually not necessary.  We could have fixfiles run 
genhomedircon before restoring context.
> Why can't we do this in semanage_commit()?
I think the indeterminate time could be a problem.  semodule -i could 
take a half hour...




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: We need a tool to extract the file context contents out of a policy package.

[Joshua Brindle]

Daniel J Walsh wrote:
> If we had this we could do something like
> 
> fixfiles -P mypolicy.pp
> 
> And it would restorecon over the file context.

the file contexts in any given package doesn't represent the file 
contexts on the system. Further, you'll lose the homedir and local 
entries (and if there are homedir entries present they'll lose their 
precedence)

what is the problem you are trying to solve? I think we can do this a 
better way.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: We need a tool to extract the file context contents out of a policy package.

[Daniel J Walsh]

Joshua Brindle wrote:
> Daniel J Walsh wrote:
>> If we had this we could do something like
>>
>> fixfiles -P mypolicy.pp
>>
>> And it would restorecon over the file context.
>
> the file contexts in any given package doesn't represent the file 
> contexts on the system. Further, you'll lose the homedir and local 
> entries (and if there are homedir entries present they'll lose their 
> precedence)
>
> what is the problem you are trying to solve? I think we can do this a 
> better way.
If I install a package I need a way of relabeling the files that are 
being installed.  Currently when the policy package gets updated, it 
does a diff between previous file_context and new file_context and then 
runs a restorecon on the diff.  We currently ignore homedirs.  Moving to 
modules, we need similar capabilities.  Relabeling the entire system 
ever time you update a policy module is not going to work.     The 
current method is not full proof, but it has been fairly effective over 
the last couple of years.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: We need a tool to extract the file context contents out of a policy package.

[Joshua Brindle]

Daniel J Walsh wrote:
> Joshua Brindle wrote:
>> Daniel J Walsh wrote:
>>> If we had this we could do something like
>>>
>>> fixfiles -P mypolicy.pp
>>>
>>> And it would restorecon over the file context.
>>
>> the file contexts in any given package doesn't represent the file 
>> contexts on the system. Further, you'll lose the homedir and local 
>> entries (and if there are homedir entries present they'll lose their 
>> precedence)
>>
>> what is the problem you are trying to solve? I think we can do this a 
>> better way.
> If I install a package I need a way of relabeling the files that are 
> being installed.  Currently when the policy package gets updated, it 
> does a diff between previous file_context and new file_context and then 
> runs a restorecon on the diff.  We currently ignore homedirs.  Moving to 
> modules, we need similar capabilities.  Relabeling the entire system 
> ever time you update a policy module is not going to work.     The 
> current method is not full proof, but it has been fairly effective over 
> the last couple of years.
> 

We can add diffing/restorecon functionality to semanage. I don't know if 
it is fair to assume that one modules file_contexts won't interact in 
unexpected ways with other modules and base file_contexts so we should 
probably always handle the file_contexts in their entirety and never alone.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.