Default Mikefile in /usr/share/selinux/devel not nice

All of lore.kernel.org
 help / color / mirror / Atom feed

* Default Mikefile in /usr/share/selinux/devel not nice
@ 2006-09-29 21:12 Michael C Thompson
  2006-09-30  4:32 ` Chris PeBenito
  0 siblings, 1 reply; 5+ messages in thread
From: Michael C Thompson @ 2006-09-29 21:12 UTC (permalink / raw)
  To: SE Linux

I just discovered a nasty surprise waiting for me in the default 
Makefile provided by selinux-policy-devel.

Basically, the Makefile produces, on an MLS system, a TYPE value of 
mls-msc (this is due to the SELINUXTYPE=mls line in 
/etc/selinux/config). This will not 'enable_mls' for the M4FLAGS, 
because the Makefile in /usr/share/selinux/devel/include/ does a 
findstring for '-mls'.

Dan Walsh has suggested a fix for the default Makefile, but I'm 
wondering why we can't just change 
/usr/share/selinux/devel/include/Makefile to do a $(findstring 
mls,$TYPE)) instead, since its not unreasonable to think that TYPE=mls 
makes sense.

Thanks,
Mike

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Default Mikefile in /usr/share/selinux/devel not nice
  2006-09-29 21:12 Default Mikefile in /usr/share/selinux/devel not nice Michael C Thompson
@ 2006-09-30  4:32 ` Chris PeBenito
  2006-10-02 15:20   ` Michael C Thompson
  0 siblings, 1 reply; 5+ messages in thread
From: Chris PeBenito @ 2006-09-30  4:32 UTC (permalink / raw)
  To: Michael C Thompson; +Cc: SE Linux

[-- Attachment #1: Type: text/plain, Size: 1230 bytes --]

On Fri, 2006-09-29 at 16:12 -0500, Michael C Thompson wrote:
> I just discovered a nasty surprise waiting for me in the default 
> Makefile provided by selinux-policy-devel.
> 
> Basically, the Makefile produces, on an MLS system, a TYPE value of 
> mls-msc (this is due to the SELINUXTYPE=mls line in 
> /etc/selinux/config). This will not 'enable_mls' for the M4FLAGS, 
> because the Makefile in /usr/share/selinux/devel/include/ does a 
> findstring for '-mls'.
> 
> Dan Walsh has suggested a fix for the default Makefile, but I'm 
> wondering why we can't just change 
> /usr/share/selinux/devel/include/Makefile to do a $(findstring 
> mls,$TYPE)) instead, since its not unreasonable to think that TYPE=mls 
> makes sense.

There is some confusion here, the SELINUXTYPE is not the same as TYPE in
refpolicy, it is NAME in refpolicy.  The TYPE of the Redhat MLS policy
is strict-mls.  TYPE=mls does not make sense, since it does not specify
if the policy is strict or targeted.

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Default Mikefile in /usr/share/selinux/devel not nice
  2006-09-30  4:32 ` Chris PeBenito
@ 2006-10-02 15:20   ` Michael C Thompson
  2006-10-02 15:33     ` Christopher J. PeBenito
  0 siblings, 1 reply; 5+ messages in thread
From: Michael C Thompson @ 2006-10-02 15:20 UTC (permalink / raw)
  To: Chris PeBenito; +Cc: SE Linux

Chris PeBenito wrote:
> On Fri, 2006-09-29 at 16:12 -0500, Michael C Thompson wrote:
>> I just discovered a nasty surprise waiting for me in the default 
>> Makefile provided by selinux-policy-devel.
>>
>> Basically, the Makefile produces, on an MLS system, a TYPE value of 
>> mls-msc (this is due to the SELINUXTYPE=mls line in 
>> /etc/selinux/config). This will not 'enable_mls' for the M4FLAGS, 
>> because the Makefile in /usr/share/selinux/devel/include/ does a 
>> findstring for '-mls'.
>>
>> Dan Walsh has suggested a fix for the default Makefile, but I'm 
>> wondering why we can't just change 
>> /usr/share/selinux/devel/include/Makefile to do a $(findstring 
>> mls,$TYPE)) instead, since its not unreasonable to think that TYPE=mls 
>> makes sense.
> 
> There is some confusion here, the SELINUXTYPE is not the same as TYPE in
> refpolicy, it is NAME in refpolicy.  The TYPE of the Redhat MLS policy
> is strict-mls.  TYPE=mls does not make sense, since it does not specify
> if the policy is strict or targeted.

Are there flags (like 'enable_mls') in the policy which require this 
delineation?

Mike



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Default Mikefile in /usr/share/selinux/devel not nice
  2006-10-02 15:20   ` Michael C Thompson
@ 2006-10-02 15:33     ` Christopher J. PeBenito
  2006-10-02 20:47       ` Daniel J Walsh
  0 siblings, 1 reply; 5+ messages in thread
From: Christopher J. PeBenito @ 2006-10-02 15:33 UTC (permalink / raw)
  To: Michael C Thompson; +Cc: SE Linux

On Mon, 2006-10-02 at 10:20 -0500, Michael C Thompson wrote:
> Chris PeBenito wrote:
> > On Fri, 2006-09-29 at 16:12 -0500, Michael C Thompson wrote:
> >> I just discovered a nasty surprise waiting for me in the default 
> >> Makefile provided by selinux-policy-devel.
> >>
> >> Basically, the Makefile produces, on an MLS system, a TYPE value of 
> >> mls-msc (this is due to the SELINUXTYPE=mls line in 
> >> /etc/selinux/config). This will not 'enable_mls' for the M4FLAGS, 
> >> because the Makefile in /usr/share/selinux/devel/include/ does a 
> >> findstring for '-mls'.
> >>
> >> Dan Walsh has suggested a fix for the default Makefile, but I'm 
> >> wondering why we can't just change 
> >> /usr/share/selinux/devel/include/Makefile to do a $(findstring 
> >> mls,$TYPE)) instead, since its not unreasonable to think that TYPE=mls 
> >> makes sense.
> > 
> > There is some confusion here, the SELINUXTYPE is not the same as TYPE in
> > refpolicy, it is NAME in refpolicy.  The TYPE of the Redhat MLS policy
> > is strict-mls.  TYPE=mls does not make sense, since it does not specify
> > if the policy is strict or targeted.
> 
> Are there flags (like 'enable_mls') in the policy which require this 
> delineation?

Yes, strict_policy and targeted_policy.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Default Mikefile in /usr/share/selinux/devel not nice
  2006-10-02 15:33     ` Christopher J. PeBenito
@ 2006-10-02 20:47       ` Daniel J Walsh
  0 siblings, 0 replies; 5+ messages in thread
From: Daniel J Walsh @ 2006-10-02 20:47 UTC (permalink / raw)
  To: Christopher J. PeBenito; +Cc: Michael C Thompson, SE Linux

[-- Attachment #1: Type: text/plain, Size: 1414 bytes --]

Christopher J. PeBenito wrote:
> On Mon, 2006-10-02 at 10:20 -0500, Michael C Thompson wrote:
>   
>> Chris PeBenito wrote:
>>     
>>> On Fri, 2006-09-29 at 16:12 -0500, Michael C Thompson wrote:
>>>       
>>>> I just discovered a nasty surprise waiting for me in the default 
>>>> Makefile provided by selinux-policy-devel.
>>>>
>>>> Basically, the Makefile produces, on an MLS system, a TYPE value of 
>>>> mls-msc (this is due to the SELINUXTYPE=mls line in 
>>>> /etc/selinux/config). This will not 'enable_mls' for the M4FLAGS, 
>>>> because the Makefile in /usr/share/selinux/devel/include/ does a 
>>>> findstring for '-mls'.
>>>>
>>>> Dan Walsh has suggested a fix for the default Makefile, but I'm 
>>>> wondering why we can't just change 
>>>> /usr/share/selinux/devel/include/Makefile to do a $(findstring 
>>>> mls,$TYPE)) instead, since its not unreasonable to think that TYPE=mls 
>>>> makes sense.
>>>>         
>>> There is some confusion here, the SELINUXTYPE is not the same as TYPE in
>>> refpolicy, it is NAME in refpolicy.  The TYPE of the Redhat MLS policy
>>> is strict-mls.  TYPE=mls does not make sense, since it does not specify
>>> if the policy is strict or targeted.
>>>       
>> Are there flags (like 'enable_mls') in the policy which require this 
>> delineation?
>>     
>
> Yes, strict_policy and targeted_policy.
>
>   

The latest Makefile in 2.3.17-2 should work properly.



[-- Attachment #2: Makefile --]
[-- Type: text/plain, Size: 437 bytes --]

# installation paths
SHAREDIR := /usr/share/selinux

AWK ?= gawk
NAME ?= $(strip $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config))

MLSENABLED := $(shell cat /selinux/mls)
ifeq ($(MLSENABLED),)
	MLSENABLED := 1
endif

ifeq ($(MLSENABLED),1)
	MCSFLAG=-mcs
endif

ifeq ($(NAME), mls)
	NAME = strict
	MCSFLAG = -mls
endif

TYPE ?= $(NAME)${MCSFLAG}
HEADERDIR := $(SHAREDIR)/devel/include
include $(HEADERDIR)/Makefile


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2006-10-02 22:05 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-09-29 21:12 Default Mikefile in /usr/share/selinux/devel not nice Michael C Thompson
2006-09-30  4:32 ` Chris PeBenito
2006-10-02 15:20   ` Michael C Thompson
2006-10-02 15:33     ` Christopher J. PeBenito
2006-10-02 20:47       ` Daniel J Walsh

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.