Re: setools is still broken in rawhide.

[Daniel J Walsh <dwalsh@redhat.com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jeremy A. Mowery wrote:
> On Friday 01 February 2008 23:35:51 Daniel J Walsh wrote:
>> This patch fixes two functions in libqpol/util.c
>>
>> is_binpol_valid should return true if the policy version is greater than
>> or equal to the policy installed in the kernel.
>>
> 
> This function is used to assert that the version of the policy matches
> the version for which we were looking. The name may be a bit misleading;
> previous versions had more complex validation logic we no longer need
> as this logic already exists in libsepol.
> 
>> search_binary_policy_file
>>
>> Should return 0 on success, meaning it found a policy.
>>
>> And return 1 if the return code is < 0;
> 
> This change would prevent tools from handling errors in policy searching 
> correctly; the difference in a negative and positive return code is
> used to distinguish the case where a default policy could not be found
> and the case where searching for the policy could not be completed.
>>
>>
>> Making these changes allows seinfo and sesearch to find policy.22 on a
>> machine running policy.21
>>
> 
> This is intentionally not done. If the system cannot load a version 22 policy,
> SETools will only search for a policy of version 21 or less.  SETools 
> intentionally does not use the policy downgrade code when loading policies;
> this would break the assertion that the policy is analyzed "as is" and not
> altered by the libraries.
> 
> 
> Jeremy A. Mowery
> Tresys Technology
> 410-290-1411 x148

So when we have a legitimate case like, we have now the user is out of
Luck.  There should be an option that says I want exact match, or the
default to search for a close enough match.  Tools are starting to use
seinfo/sesearch and we give this to users as a way to examine policy.

Why sacrifice usability for the goal of having an exact match.  My fix
might not be correct but sesearch/seinfo have got to work, in the
situation where the kernel has downgraded the policy.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkenNtsACgkQrlYvE4MpobMqnACfc9PBYX0rhEd3NZDsp/SrC30x
hBEAoObjwYXvk2Blmhyu1R1Jf/RlmV9m
=TWVy
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.