Default Mikefile in /usr/share/selinux/devel not nice

Default Mikefile in /usr/share/selinux/devel not nice

[Michael C Thompson]

I just discovered a nasty surprise waiting for me in the default 
Makefile provided by selinux-policy-devel.

Basically, the Makefile produces, on an MLS system, a TYPE value of 
mls-msc (this is due to the SELINUXTYPE=mls line in 
/etc/selinux/config). This will not 'enable_mls' for the M4FLAGS, 
because the Makefile in /usr/share/selinux/devel/include/ does a 
findstring for '-mls'.

Dan Walsh has suggested a fix for the default Makefile, but I'm 
wondering why we can't just change 
/usr/share/selinux/devel/include/Makefile to do a $(findstring 
mls,$TYPE)) instead, since its not unreasonable to think that TYPE=mls 
makes sense.

Thanks,
Mike


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Default Mikefile in /usr/share/selinux/devel not nice

[Chris PeBenito]

[-- Attachment #1: Type: text/plain, Size: 1230 bytes --]

On Fri, 2006-09-29 at 16:12 -0500, Michael C Thompson wrote:
> I just discovered a nasty surprise waiting for me in the default 
> Makefile provided by selinux-policy-devel.
> 
> Basically, the Makefile produces, on an MLS system, a TYPE value of 
> mls-msc (this is due to the SELINUXTYPE=mls line in 
> /etc/selinux/config). This will not 'enable_mls' for the M4FLAGS, 
> because the Makefile in /usr/share/selinux/devel/include/ does a 
> findstring for '-mls'.
> 
> Dan Walsh has suggested a fix for the default Makefile, but I'm 
> wondering why we can't just change 
> /usr/share/selinux/devel/include/Makefile to do a $(findstring 
> mls,$TYPE)) instead, since its not unreasonable to think that TYPE=mls 
> makes sense.

There is some confusion here, the SELINUXTYPE is not the same as TYPE in
refpolicy, it is NAME in refpolicy.  The TYPE of the Redhat MLS policy
is strict-mls.  TYPE=mls does not make sense, since it does not specify
if the policy is strict or targeted.

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Default Mikefile in /usr/share/selinux/devel not nice

[Michael C Thompson]

Chris PeBenito wrote:
> On Fri, 2006-09-29 at 16:12 -0500, Michael C Thompson wrote:
>> I just discovered a nasty surprise waiting for me in the default 
>> Makefile provided by selinux-policy-devel.
>>
>> Basically, the Makefile produces, on an MLS system, a TYPE value of 
>> mls-msc (this is due to the SELINUXTYPE=mls line in 
>> /etc/selinux/config). This will not 'enable_mls' for the M4FLAGS, 
>> because the Makefile in /usr/share/selinux/devel/include/ does a 
>> findstring for '-mls'.
>>
>> Dan Walsh has suggested a fix for the default Makefile, but I'm 
>> wondering why we can't just change 
>> /usr/share/selinux/devel/include/Makefile to do a $(findstring 
>> mls,$TYPE)) instead, since its not unreasonable to think that TYPE=mls 
>> makes sense.
> 
> There is some confusion here, the SELINUXTYPE is not the same as TYPE in
> refpolicy, it is NAME in refpolicy.  The TYPE of the Redhat MLS policy
> is strict-mls.  TYPE=mls does not make sense, since it does not specify
> if the policy is strict or targeted.

Are there flags (like 'enable_mls') in the policy which require this 
delineation?

Mike



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Default Mikefile in /usr/share/selinux/devel not nice

[Christopher J. PeBenito]

On Mon, 2006-10-02 at 10:20 -0500, Michael C Thompson wrote:
> Chris PeBenito wrote:
> > On Fri, 2006-09-29 at 16:12 -0500, Michael C Thompson wrote:
> >> I just discovered a nasty surprise waiting for me in the default 
> >> Makefile provided by selinux-policy-devel.
> >>
> >> Basically, the Makefile produces, on an MLS system, a TYPE value of 
> >> mls-msc (this is due to the SELINUXTYPE=mls line in 
> >> /etc/selinux/config). This will not 'enable_mls' for the M4FLAGS, 
> >> because the Makefile in /usr/share/selinux/devel/include/ does a 
> >> findstring for '-mls'.
> >>
> >> Dan Walsh has suggested a fix for the default Makefile, but I'm 
> >> wondering why we can't just change 
> >> /usr/share/selinux/devel/include/Makefile to do a $(findstring 
> >> mls,$TYPE)) instead, since its not unreasonable to think that TYPE=mls 
> >> makes sense.
> > 
> > There is some confusion here, the SELINUXTYPE is not the same as TYPE in
> > refpolicy, it is NAME in refpolicy.  The TYPE of the Redhat MLS policy
> > is strict-mls.  TYPE=mls does not make sense, since it does not specify
> > if the policy is strict or targeted.
> 
> Are there flags (like 'enable_mls') in the policy which require this 
> delineation?

Yes, strict_policy and targeted_policy.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Default Mikefile in /usr/share/selinux/devel not nice

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 1414 bytes --]

Christopher J. PeBenito wrote:
> On Mon, 2006-10-02 at 10:20 -0500, Michael C Thompson wrote:
>   
>> Chris PeBenito wrote:
>>     
>>> On Fri, 2006-09-29 at 16:12 -0500, Michael C Thompson wrote:
>>>       
>>>> I just discovered a nasty surprise waiting for me in the default 
>>>> Makefile provided by selinux-policy-devel.
>>>>
>>>> Basically, the Makefile produces, on an MLS system, a TYPE value of 
>>>> mls-msc (this is due to the SELINUXTYPE=mls line in 
>>>> /etc/selinux/config). This will not 'enable_mls' for the M4FLAGS, 
>>>> because the Makefile in /usr/share/selinux/devel/include/ does a 
>>>> findstring for '-mls'.
>>>>
>>>> Dan Walsh has suggested a fix for the default Makefile, but I'm 
>>>> wondering why we can't just change 
>>>> /usr/share/selinux/devel/include/Makefile to do a $(findstring 
>>>> mls,$TYPE)) instead, since its not unreasonable to think that TYPE=mls 
>>>> makes sense.
>>>>         
>>> There is some confusion here, the SELINUXTYPE is not the same as TYPE in
>>> refpolicy, it is NAME in refpolicy.  The TYPE of the Redhat MLS policy
>>> is strict-mls.  TYPE=mls does not make sense, since it does not specify
>>> if the policy is strict or targeted.
>>>       
>> Are there flags (like 'enable_mls') in the policy which require this 
>> delineation?
>>     
>
> Yes, strict_policy and targeted_policy.
>
>   

The latest Makefile in 2.3.17-2 should work properly.



[-- Attachment #2: Makefile --]
[-- Type: text/plain, Size: 437 bytes --]

# installation paths
SHAREDIR := /usr/share/selinux

AWK ?= gawk
NAME ?= $(strip $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config))

MLSENABLED := $(shell cat /selinux/mls)
ifeq ($(MLSENABLED),)
	MLSENABLED := 1
endif

ifeq ($(MLSENABLED),1)
	MCSFLAG=-mcs
endif

ifeq ($(NAME), mls)
	NAME = strict
	MCSFLAG = -mls
endif

TYPE ?= $(NAME)${MCSFLAG}
HEADERDIR := $(SHAREDIR)/devel/include
include $(HEADERDIR)/Makefile