* This patch adds permissive to semanage
@ 2008-06-30 16:02 Daniel J Walsh
2008-06-30 17:58 ` Joshua Brindle
0 siblings, 1 reply; 15+ messages in thread
From: Daniel J Walsh @ 2008-06-30 16:02 UTC (permalink / raw)
To: SE Linux
[-- Attachment #1: Type: text/plain, Size: 169 bytes --]
Gives users the ability to set a domain as permissive
semanage permissive -a http_t
It created a policy module named permissive_httpd_t.pp with the
permissive call.
[-- Attachment #2: permissive.patch --]
[-- Type: text/plain, Size: 8396 bytes --]
--- nsapolicycoreutils/semanage/semanage 2008-06-12 23:25:21.000000000 -0400
+++ policycoreutils-2.0.50/semanage/semanage 2008-06-30 11:49:38.000000000 -0400
@@ -43,49 +43,52 @@
if __name__ == '__main__':
def usage(message = ""):
- print _('\
-semanage {boolean|login|user|port|interface|fcontext|translation} -{l|D} [-n] \n\
-semanage login -{a|d|m} [-sr] login_name\n\
-semanage user -{a|d|m} [-LrRP] selinux_name\n\
-semanage port -{a|d|m} [-tr] [ -p proto ] port | port_range\n\
-semanage interface -{a|d|m} [-tr] interface_spec\n\
-semanage fcontext -{a|d|m} [-frst] file_spec\n\
-semanage translation -{a|d|m} [-T] level\n\n\
-semanage boolean -{d|m} boolean\n\n\
-\
-Primary Options:\n\
-\
- -a, --add Add a OBJECT record NAME\n\
- -d, --delete Delete a OBJECT record NAME\n\
- -m, --modify Modify a OBJECT record NAME\n\
- -l, --list List the OBJECTS\n\n\
- -C, --locallist List OBJECTS local customizations\n\n\
- -D, --deleteall Remove all OBJECTS local customizations\n\
-\
- -h, --help Display this message\n\
- -n, --noheading Do not print heading when listing OBJECTS\n\
- -S, --store Select and alternate SELinux store to manage\n\n\
-Object-specific Options (see above):\n\
- -f, --ftype File Type of OBJECT \n\
- "" (all files) \n\
- -- (regular file) \n\
- -d (directory) \n\
- -c (character device) \n\
- -b (block device) \n\
- -s (socket) \n\
- -l (symbolic link) \n\
- -p (named pipe) \n\n\
-\
- -p, --proto Port protocol (tcp or udp)\n\
- -P, --prefix Prefix for home directory labeling\n\
- -L, --level Default SELinux Level (MLS/MCS Systems only)\n\
- -R, --roles SELinux Roles (ex: "sysadm_r staff_r")\n\
- -T, --trans SELinux Level Translation (MLS/MCS Systems only)\n\n\
-\
- -s, --seuser SELinux User Name\n\
- -t, --type SELinux Type for the object\n\
- -r, --range MLS/MCS Security Range (MLS/MCS Systems only)\n\
-')
+ print _("""
+semanage {boolean|login|user|port|interface|fcontext|translation} -{l|D} [-n]
+semanage login -{a|d|m} [-sr] login_name
+semanage user -{a|d|m} [-LrRP] selinux_name
+semanage port -{a|d|m} [-tr] [ -p proto ] port | port_range
+semanage interface -{a|d|m} [-tr] interface_spec
+semanage fcontext -{a|d|m} [-frst] file_spec
+semanage translation -{a|d|m} [-T] level
+semanage boolean -{d|m} boolean
+semanage permissive -{d|a} type
+
+Primary Options:
+
+ -a, --add Add a OBJECT record NAME
+ -d, --delete Delete a OBJECT record NAME
+ -m, --modify Modify a OBJECT record NAME
+ -l, --list List the OBJECTS
+ -C, --locallist List OBJECTS local customizations
+ -D, --deleteall Remove all OBJECTS local customizations
+
+ -h, --help Display this message
+ -n, --noheading Do not print heading when listing OBJECTS
+ -S, --store Select and alternate SELinux store to manage
+
+Object-specific Options (see above):
+
+ -f, --ftype File Type of OBJECT
+ "" (all files)
+ -- (regular file)
+ -d (directory)
+ -c (character device)
+ -b (block device)
+ -s (socket)
+ -l (symbolic link)
+ -p (named pipe)
+
+ -p, --proto Port protocol (tcp or udp)
+ -P, --prefix Prefix for home directory labeling
+ -L, --level Default SELinux Level (MLS/MCS Systems only)
+ -R, --roles SELinux Roles (ex: "sysadm_r staff_r")
+ -T, --trans SELinux Level Translation (MLS/MCS Systems only)
+
+ -s, --seuser SELinux User Name
+ -t, --type SELinux Type for the object
+ -r, --range MLS/MCS Security Range (MLS/MCS Systems only)
+""")
print message
sys.exit(1)
@@ -112,6 +115,8 @@
valid_option["translation"] += valid_everyone + [ '-T', '--trans' ]
valid_option["boolean"] = []
valid_option["boolean"] += valid_everyone + [ '--on', "--off", "-1", "-0" ]
+ valid_option["permissive"] = []
+ valid_option["permissive"] += [ '-a', '--add', '-d', '--delete', '-l', '--list', '-h', '--help', '-n', '--noheading', '-D', '--deleteall' ]
return valid_option
#
@@ -266,6 +271,9 @@
if object == "translation":
OBJECT = seobject.setransRecords()
+ if object == "permissive":
+ OBJECT = seobject.permissiveRecords(store)
+
if list:
OBJECT.list(heading, locallist)
sys.exit(0);
@@ -302,6 +310,9 @@
if object == "fcontext":
OBJECT.add(target, setype, ftype, serange, seuser)
+ if object == "permissive":
+ OBJECT.add(target)
+
sys.exit(0);
if modify:
--- nsapolicycoreutils/semanage/semanage.8 2008-06-12 23:25:21.000000000 -0400
+++ policycoreutils-2.0.50/semanage/semanage.8 2008-06-30 11:49:38.000000000 -0400
@@ -17,6 +17,8 @@
.br
.B semanage fcontext \-{a|d|m} [\-frst] file_spec
.br
+.B semanage permissive \-{a|d} type
+.br
.B semanage translation \-{a|d|m} [\-T] level
.P
@@ -101,10 +103,11 @@
$ semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
# Allow Apache to listen on port 81
$ semanage port -a -t http_port_t -p tcp 81
+# Change apache to a permissive domain
+$ semanage permissive -a http_t
.fi
.SH "AUTHOR"
This man page was written by Daniel Walsh <dwalsh@redhat.com> and
Russell Coker <rcoker@redhat.com>.
Examples by Thomas Bleher <ThomasBleher@gmx.de>.
-
--- nsapolicycoreutils/semanage/seobject.py 2008-06-12 23:25:21.000000000 -0400
+++ policycoreutils-2.0.50/semanage/seobject.py 2008-06-30 11:49:38.000000000 -0400
@@ -1,5 +1,5 @@
#! /usr/bin/python -E
-# Copyright (C) 2005, 2006, 2007 Red Hat
+# Copyright (C) 2005, 2006, 2007, 2008 Red Hat
# see file 'COPYING' for use and warranty information
#
# semanage is a tool for managing SELinux configuration files
@@ -24,7 +24,9 @@
import pwd, string, selinux, tempfile, os, re, sys
from semanage import *;
PROGNAME="policycoreutils"
+import sepolgen.module as module
+import commands
import gettext
gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
gettext.textdomain(PROGNAME)
@@ -246,7 +248,67 @@
os.close(fd)
os.rename(newfilename, self.filename)
os.system("/sbin/service mcstrans reload > /dev/null")
-
+
+class permissiveRecords:
+ def __init__(self, store):
+ self.store = store
+
+ def get_all(self):
+ rc, out = commands.getstatusoutput("semodule -l | grep ^permissive");
+ l = []
+ for i in out.split():
+ if i.startswith("permissive_"):
+ l.append(i.split("permissive_")[1])
+ return l
+
+ def list(self,heading = 1, locallist = 0):
+ if heading:
+ print "\n%-25s\n" % (_("Permissive Types"))
+ for t in self.get_all():
+ print t
+
+
+ def add(self, type):
+ name = "permissive_%s" % type
+ dirname = "/var/lib/selinux"
+ os.chdir(dirname)
+ filename = "%s.te" % name
+ modtxt = """
+module %s 1.0;
+
+require {
+ type %s;
+}
+
+permissive %s;
+""" % (name, type, type)
+ fd = open(filename,'w')
+ fd.write(modtxt)
+ fd.close()
+ mc = module.ModuleCompiler()
+ mc.create_module_package(filename, 1)
+ rc, out = commands.getstatusoutput("semodule -i permissive_%s.pp" % type);
+ for root, dirs, files in os.walk("top", topdown=False):
+ for name in files:
+ os.remove(os.path.join(root, name))
+ for name in dirs:
+ os.rmdir(os.path.join(root, name))
+
+ if rc != 0:
+ raise ValueError(out)
+
+
+ def delete(self, name):
+ rc, out = commands.getstatusoutput("semodule -r permissive_%s" % name );
+ if rc != 0:
+ raise ValueError(out)
+
+ def deleteall(self):
+ l = self.get_all()
+ if len(l) > 0:
+ all = " permissive_".join(l)
+ self.delete(all)
+
class semanageRecords:
def __init__(self, store):
self.sh = semanage_handle_create()
@@ -464,7 +526,7 @@
def __init__(self, store = ""):
semanageRecords.__init__(self, store)
- def add(self, name, roles, selevel, serange, prefix):
+ def add(self, name, roles, selevel, serange, prefix = "user"):
if is_mls_enabled == 1:
if serange == "":
serange = "s0"
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: This patch adds permissive to semanage
2008-06-30 16:02 This patch adds permissive to semanage Daniel J Walsh
@ 2008-06-30 17:58 ` Joshua Brindle
2008-07-02 0:50 ` Daniel J Walsh
2008-07-02 12:00 ` Stephen Smalley
0 siblings, 2 replies; 15+ messages in thread
From: Joshua Brindle @ 2008-06-30 17:58 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SE Linux
Daniel J Walsh wrote:
> Gives users the ability to set a domain as permissive
>
>
> semanage permissive -a http_t
>
> It created a policy module named permissive_httpd_t.pp with the
> permissive call.
>
So, a really quick glance brings up a couple issues. First you have '-n', '--noheading' which aren't documented in the man page or elsewhere. Second (and more importantly) why are you executing semodule like that? libsemanage is the library that manages modules, and also the library used by semanage for everything else.
I would prefer a more 'pure' approach where we keep a list of permissive types and inject them into the kernel policy after linking (like libsemanage does with users, ports, nodes, etc) but I understand that adding a whole new set of databases and interfaces is both annoying and time consuming so I'm fine with it working on modules, I'd just like to see it using libsemanage interfaces instead of calling semodule.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: This patch adds permissive to semanage
2008-06-30 17:58 ` Joshua Brindle
@ 2008-07-02 0:50 ` Daniel J Walsh
2008-07-02 12:00 ` Stephen Smalley
1 sibling, 0 replies; 15+ messages in thread
From: Daniel J Walsh @ 2008-07-02 0:50 UTC (permalink / raw)
To: Joshua Brindle; +Cc: SE Linux
[-- Attachment #1: Type: text/plain, Size: 1338 bytes --]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Joshua Brindle wrote:
| Daniel J Walsh wrote:
|> Gives users the ability to set a domain as permissive
|>
|>
|> semanage permissive -a http_t
|>
|> It created a policy module named permissive_httpd_t.pp with the
|> permissive call.
|>
|
| So, a really quick glance brings up a couple issues. First you have
'-n', '--noheading' which aren't documented in the man page or
elsewhere. Second (and more importantly) why are you executing semodule
like that? libsemanage is the library that manages modules, and also the
library used by semanage for everything else.
|
| I would prefer a more 'pure' approach where we keep a list of
permissive types and inject them into the kernel policy after linking
(like libsemanage does with users, ports, nodes, etc) but I understand
that adding a whole new set of databases and interfaces is both annoying
and time consuming so I'm fine with it working on modules, I'd just like
to see it using libsemanage interfaces instead of calling semodule.
|
|
Rewrote patch to use libsemanage functions.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkhq0MQACgkQrlYvE4MpobOg0ACgwl8+koyNS7ktbc2jplovEano
WZQAnj+ITOMlmeBuO/HTUXCS2m9Jcqj/
=/3Bu
-----END PGP SIGNATURE-----
[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 11083 bytes --]
diff --exclude-from=exclude --exclude=sepolgen-1.0.12 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.50/semanage/semanage
--- nsapolicycoreutils/semanage/semanage 2008-05-06 14:33:04.000000000 -0400
+++ policycoreutils-2.0.50/semanage/semanage 2008-07-01 20:31:40.000000000 -0400
@@ -43,49 +43,52 @@
if __name__ == '__main__':
def usage(message = ""):
- print _('\
-semanage {boolean|login|user|port|interface|fcontext|translation} -{l|D} [-n] \n\
-semanage login -{a|d|m} [-sr] login_name\n\
-semanage user -{a|d|m} [-LrRP] selinux_name\n\
-semanage port -{a|d|m} [-tr] [ -p proto ] port | port_range\n\
-semanage interface -{a|d|m} [-tr] interface_spec\n\
-semanage fcontext -{a|d|m} [-frst] file_spec\n\
-semanage translation -{a|d|m} [-T] level\n\n\
-semanage boolean -{d|m} boolean\n\n\
-\
-Primary Options:\n\
-\
- -a, --add Add a OBJECT record NAME\n\
- -d, --delete Delete a OBJECT record NAME\n\
- -m, --modify Modify a OBJECT record NAME\n\
- -l, --list List the OBJECTS\n\n\
- -C, --locallist List OBJECTS local customizations\n\n\
- -D, --deleteall Remove all OBJECTS local customizations\n\
-\
- -h, --help Display this message\n\
- -n, --noheading Do not print heading when listing OBJECTS\n\
- -S, --store Select and alternate SELinux store to manage\n\n\
-Object-specific Options (see above):\n\
- -f, --ftype File Type of OBJECT \n\
- "" (all files) \n\
- -- (regular file) \n\
- -d (directory) \n\
- -c (character device) \n\
- -b (block device) \n\
- -s (socket) \n\
- -l (symbolic link) \n\
- -p (named pipe) \n\n\
-\
- -p, --proto Port protocol (tcp or udp)\n\
- -P, --prefix Prefix for home directory labeling\n\
- -L, --level Default SELinux Level (MLS/MCS Systems only)\n\
- -R, --roles SELinux Roles (ex: "sysadm_r staff_r")\n\
- -T, --trans SELinux Level Translation (MLS/MCS Systems only)\n\n\
-\
- -s, --seuser SELinux User Name\n\
- -t, --type SELinux Type for the object\n\
- -r, --range MLS/MCS Security Range (MLS/MCS Systems only)\n\
-')
+ print _("""
+semanage {boolean|login|user|port|interface|fcontext|translation} -{l|D} [-n]
+semanage login -{a|d|m} [-sr] login_name
+semanage user -{a|d|m} [-LrRP] selinux_name
+semanage port -{a|d|m} [-tr] [ -p proto ] port | port_range
+semanage interface -{a|d|m} [-tr] interface_spec
+semanage fcontext -{a|d|m} [-frst] file_spec
+semanage translation -{a|d|m} [-T] level
+semanage boolean -{d|m} boolean
+semanage permissive -{d|a} type
+
+Primary Options:
+
+ -a, --add Add a OBJECT record NAME
+ -d, --delete Delete a OBJECT record NAME
+ -m, --modify Modify a OBJECT record NAME
+ -l, --list List the OBJECTS
+ -C, --locallist List OBJECTS local customizations
+ -D, --deleteall Remove all OBJECTS local customizations
+
+ -h, --help Display this message
+ -n, --noheading Do not print heading when listing OBJECTS
+ -S, --store Select and alternate SELinux store to manage
+
+Object-specific Options (see above):
+
+ -f, --ftype File Type of OBJECT
+ "" (all files)
+ -- (regular file)
+ -d (directory)
+ -c (character device)
+ -b (block device)
+ -s (socket)
+ -l (symbolic link)
+ -p (named pipe)
+
+ -p, --proto Port protocol (tcp or udp)
+ -P, --prefix Prefix for home directory labeling
+ -L, --level Default SELinux Level (MLS/MCS Systems only)
+ -R, --roles SELinux Roles (ex: "sysadm_r staff_r")
+ -T, --trans SELinux Level Translation (MLS/MCS Systems only)
+
+ -s, --seuser SELinux User Name
+ -t, --type SELinux Type for the object
+ -r, --range MLS/MCS Security Range (MLS/MCS Systems only)
+""")
print message
sys.exit(1)
@@ -112,6 +115,8 @@
valid_option["translation"] += valid_everyone + [ '-T', '--trans' ]
valid_option["boolean"] = []
valid_option["boolean"] += valid_everyone + [ '--on', "--off", "-1", "-0" ]
+ valid_option["permissive"] = []
+ valid_option["permissive"] += [ '-a', '--add', '-d', '--delete', '-l', '--list', '-h', '--help', '-n', '--noheading', '-D', '--deleteall' ]
return valid_option
#
@@ -266,6 +271,9 @@
if object == "translation":
OBJECT = seobject.setransRecords()
+ if object == "permissive":
+ OBJECT = seobject.permissiveRecords(store)
+
if list:
OBJECT.list(heading, locallist)
sys.exit(0);
@@ -302,6 +310,9 @@
if object == "fcontext":
OBJECT.add(target, setype, ftype, serange, seuser)
+ if object == "permissive":
+ OBJECT.add(target)
+
sys.exit(0);
if modify:
diff --exclude-from=exclude --exclude=sepolgen-1.0.12 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-2.0.50/semanage/semanage.8
--- nsapolicycoreutils/semanage/semanage.8 2008-05-06 14:33:04.000000000 -0400
+++ policycoreutils-2.0.50/semanage/semanage.8 2008-07-01 20:33:48.000000000 -0400
@@ -3,7 +3,7 @@
semanage \- SELinux Policy Management tool
.SH "SYNOPSIS"
-.B semanage {boolean|login|user|port|interface|fcontext|translation} \-{l|lC|D} [\-n]
+.B semanage {boolean|login|user|port|interface|fcontext|translation} \-{l|D} [\-n] [\-S store]
.br
.B semanage boolean \-{d|m} [\-\-on|\-\-off|\-1|\-0] boolean
.br
@@ -17,6 +17,8 @@
.br
.B semanage fcontext \-{a|d|m} [\-frst] file_spec
.br
+.B semanage permissive \-{a|d} type
+.br
.B semanage translation \-{a|d|m} [\-T] level
.P
@@ -85,6 +87,9 @@
.I \-s, \-\-seuser
SELinux user name
.TP
+.I \-S, \-\-store
+Select and alternate SELinux store to manage
+.TP
.I \-t, \-\-type
SELinux Type for the object
.TP
@@ -101,10 +106,11 @@
$ semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
# Allow Apache to listen on port 81
$ semanage port -a -t http_port_t -p tcp 81
+# Change apache to a permissive domain
+$ semanage permissive -a http_t
.fi
.SH "AUTHOR"
This man page was written by Daniel Walsh <dwalsh@redhat.com> and
Russell Coker <rcoker@redhat.com>.
Examples by Thomas Bleher <ThomasBleher@gmx.de>.
-
diff --exclude-from=exclude --exclude=sepolgen-1.0.12 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.50/semanage/seobject.py
--- nsapolicycoreutils/semanage/seobject.py 2008-05-16 10:55:38.000000000 -0400
+++ policycoreutils-2.0.50/semanage/seobject.py 2008-07-01 20:30:55.000000000 -0400
@@ -1,5 +1,5 @@
#! /usr/bin/python -E
-# Copyright (C) 2005, 2006, 2007 Red Hat
+# Copyright (C) 2005, 2006, 2007, 2008 Red Hat
# see file 'COPYING' for use and warranty information
#
# semanage is a tool for managing SELinux configuration files
@@ -24,7 +24,9 @@
import pwd, string, selinux, tempfile, os, re, sys
from semanage import *;
PROGNAME="policycoreutils"
+import sepolgen.module as module
+import commands
import gettext
gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
gettext.textdomain(PROGNAME)
@@ -246,7 +248,103 @@
os.close(fd)
os.rename(newfilename, self.filename)
os.system("/sbin/service mcstrans reload > /dev/null")
-
+
+class permissiveRecords:
+ def __init__(self, store):
+ self.store = store
+ self.sh = semanage_handle_create()
+ if not self.sh:
+ raise ValueError(_("Could not create semanage handle"))
+
+ if store != "":
+ semanage_select_store(self.sh, store, SEMANAGE_CON_DIRECT);
+
+ self.semanaged = semanage_is_managed(self.sh)
+
+ if not self.semanaged:
+ semanage_handle_destroy(self.sh)
+ raise ValueError(_("SELinux policy is not managed or store cannot be accessed."))
+
+ rc = semanage_access_check(self.sh)
+ if rc < SEMANAGE_CAN_READ:
+ semanage_handle_destroy(self.sh)
+ raise ValueError(_("Cannot read policy store."))
+
+ rc = semanage_connect(self.sh)
+ if rc < 0:
+ semanage_handle_destroy(self.sh)
+ raise ValueError(_("Could not establish semanage connection"))
+
+ def get_all(self):
+ l = []
+ (rc, mlist, number) = semanage_module_list(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not list SELinux modules"))
+
+ for i in range(number):
+ mod = semanage_module_list_nth(mlist, i)
+ name = semanage_module_get_name(mod)
+ if name and name.startswith("permissive_"):
+ l.append(name.split("permissive_")[1])
+ return l
+
+ def list(self,heading = 1, locallist = 0):
+ if heading:
+ print "\n%-25s\n" % (_("Permissive Types"))
+ for t in self.get_all():
+ print t
+
+
+ def add(self, type):
+ name = "permissive_%s" % type
+ dirname = "/var/lib/selinux"
+ os.chdir(dirname)
+ filename = "%s.te" % name
+ modtxt = """
+module %s 1.0;
+
+require {
+ type %s;
+}
+
+permissive %s;
+""" % (name, type, type)
+ fd = open(filename,'w')
+ fd.write(modtxt)
+ fd.close()
+ mc = module.ModuleCompiler()
+ mc.create_module_package(filename, 1)
+ fd = open("permissive_%s.pp" % type)
+ data = fd.read()
+ fd.close()
+
+ rc = semanage_module_install(self.sh, data, len(data));
+ rc = semanage_commit(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not set permissive domain %s") % name)
+ for root, dirs, files in os.walk("tmp", topdown=False):
+ for name in files:
+ os.remove(os.path.join(root, name))
+ for name in dirs:
+ os.rmdir(os.path.join(root, name))
+
+ if rc != 0:
+ raise ValueError(out)
+
+
+ def delete(self, name):
+ for n in name.split():
+ rc = semanage_module_remove(self.sh, "permissive_%s" % n)
+ rc = semanage_commit(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not remove permissive domain %s") % name)
+
+ def deleteall(self):
+ l = self.get_all()
+ if len(l) > 0:
+ all = " ".join(l)
+ self.delete(all)
+
class semanageRecords:
def __init__(self, store):
self.sh = semanage_handle_create()
@@ -464,7 +562,7 @@
def __init__(self, store = ""):
semanageRecords.__init__(self, store)
- def add(self, name, roles, selevel, serange, prefix):
+ def add(self, name, roles, selevel, serange, prefix = "user"):
if is_mls_enabled == 1:
if serange == "":
serange = "s0"
[-- Attachment #3: diff.sig --]
[-- Type: application/pgp-signature, Size: 72 bytes --]
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: This patch adds permissive to semanage
2008-06-30 17:58 ` Joshua Brindle
2008-07-02 0:50 ` Daniel J Walsh
@ 2008-07-02 12:00 ` Stephen Smalley
2008-07-02 13:09 ` Joshua Brindle
1 sibling, 1 reply; 15+ messages in thread
From: Stephen Smalley @ 2008-07-02 12:00 UTC (permalink / raw)
To: Joshua Brindle; +Cc: Daniel J Walsh, SE Linux
On Mon, 2008-06-30 at 13:58 -0400, Joshua Brindle wrote:
> Daniel J Walsh wrote:
> > Gives users the ability to set a domain as permissive
> >
> >
> > semanage permissive -a http_t
> >
> > It created a policy module named permissive_httpd_t.pp with the
> > permissive call.
> >
>
> So, a really quick glance brings up a couple issues. First you have '-n', '--noheading' which aren't documented in the man page or elsewhere. Second (and more importantly) why are you executing semodule like that? libsemanage is the library that manages modules, and also the library used by semanage for everything else.
>
> I would prefer a more 'pure' approach where we keep a list of
> permissive types and inject them into the kernel policy after linking
> (like libsemanage does with users, ports, nodes, etc) but I understand
> that adding a whole new set of databases and interfaces is both
> annoying and time consuming so I'm fine with it working on modules,
> I'd just like to see it using libsemanage interfaces instead of
> calling semodule.
Why do you see direct use of the libsemanage interfaces as preferable to
invoking semodule (aside from performance, and this isn't really
performance critical)?
I'm unclear on the tradeoff being made there, as composing small
programs together to perform more complex operation is the Unix (tm)
way ;)
The advantage of just invoking semodule is that semodule is already a
well-tested program that performs that function well, does proper error
checking and handling of the various libsemanage calls, etc. And if we
later fix a bug or introduce new functionality there, we only have to do
it once vs. in multiple places.
And the semanage permissive code already has to invoke a helper program
to compile the policy module from source to binary, at least today, so
it isn't much different to invoke semodule to install the binary module.
Then there is the issue of being able to run the semodule stage of
processing in a separate domain, although at present semanage and
semodule operate in the same domain so it makes no difference at
present.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: This patch adds permissive to semanage
2008-07-02 12:00 ` Stephen Smalley
@ 2008-07-02 13:09 ` Joshua Brindle
2008-07-02 13:17 ` Stephen Smalley
2008-07-02 18:07 ` Daniel J Walsh
0 siblings, 2 replies; 15+ messages in thread
From: Joshua Brindle @ 2008-07-02 13:09 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Daniel J Walsh, SE Linux
Stephen Smalley wrote:
> On Mon, 2008-06-30 at 13:58 -0400, Joshua Brindle wrote:
>> Daniel J Walsh wrote:
>>> Gives users the ability to set a domain as permissive
>>>
>>>
>>> semanage permissive -a http_t
>>>
>>> It created a policy module named permissive_httpd_t.pp with the
>>> permissive call.
>>>
>> So, a really quick glance brings up a couple issues. First you have '-n', '--noheading' which aren't documented in the man page or elsewhere. Second (and more importantly) why are you executing semodule like that? libsemanage is the library that manages modules, and also the library used by semanage for everything else.
>>
>> I would prefer a more 'pure' approach where we keep a list of
>> permissive types and inject them into the kernel policy after linking
>> (like libsemanage does with users, ports, nodes, etc) but I understand
>> that adding a whole new set of databases and interfaces is both
>> annoying and time consuming so I'm fine with it working on modules,
>> I'd just like to see it using libsemanage interfaces instead of
>> calling semodule.
>
> Why do you see direct use of the libsemanage interfaces as preferable to
> invoking semodule (aside from performance, and this isn't really
> performance critical)?
>
> I'm unclear on the tradeoff being made there, as composing small
> programs together to perform more complex operation is the Unix (tm)
> way ;)
>
> The advantage of just invoking semodule is that semodule is already a
> well-tested program that performs that function well, does proper error
> checking and handling of the various libsemanage calls, etc. And if we
> later fix a bug or introduce new functionality there, we only have to do
> it once vs. in multiple places.
>
> And the semanage permissive code already has to invoke a helper program
> to compile the policy module from source to binary, at least today, so
> it isn't much different to invoke semodule to install the binary module.
>
> Then there is the issue of being able to run the semodule stage of
> processing in a separate domain, although at present semanage and
> semodule operate in the same domain so it makes no difference at
> present.
>
Maybe its just personal preference but I see using library interfaces as much more clean than invoking semodule and grepping. semanage already uses the library interfaces for everything else so this would be the one case where it doesn't. He already fixed it up to use the interfaces so its moot at this point.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: This patch adds permissive to semanage
2008-07-02 13:09 ` Joshua Brindle
@ 2008-07-02 13:17 ` Stephen Smalley
2008-07-02 13:37 ` Joshua Brindle
2008-07-02 18:07 ` Daniel J Walsh
1 sibling, 1 reply; 15+ messages in thread
From: Stephen Smalley @ 2008-07-02 13:17 UTC (permalink / raw)
To: Joshua Brindle; +Cc: Daniel J Walsh, SE Linux
On Wed, 2008-07-02 at 09:09 -0400, Joshua Brindle wrote:
> Stephen Smalley wrote:
> > On Mon, 2008-06-30 at 13:58 -0400, Joshua Brindle wrote:
> >> Daniel J Walsh wrote:
> >>> Gives users the ability to set a domain as permissive
> >>>
> >>>
> >>> semanage permissive -a http_t
> >>>
> >>> It created a policy module named permissive_httpd_t.pp with the
> >>> permissive call.
> >>>
> >> So, a really quick glance brings up a couple issues. First you have '-n', '--noheading' which aren't documented in the man page or elsewhere. Second (and more importantly) why are you executing semodule like that? libsemanage is the library that manages modules, and also the library used by semanage for everything else.
> >>
> >> I would prefer a more 'pure' approach where we keep a list of
> >> permissive types and inject them into the kernel policy after linking
> >> (like libsemanage does with users, ports, nodes, etc) but I understand
> >> that adding a whole new set of databases and interfaces is both
> >> annoying and time consuming so I'm fine with it working on modules,
> >> I'd just like to see it using libsemanage interfaces instead of
> >> calling semodule.
> >
> > Why do you see direct use of the libsemanage interfaces as preferable to
> > invoking semodule (aside from performance, and this isn't really
> > performance critical)?
> >
> > I'm unclear on the tradeoff being made there, as composing small
> > programs together to perform more complex operation is the Unix (tm)
> > way ;)
> >
> > The advantage of just invoking semodule is that semodule is already a
> > well-tested program that performs that function well, does proper error
> > checking and handling of the various libsemanage calls, etc. And if we
> > later fix a bug or introduce new functionality there, we only have to do
> > it once vs. in multiple places.
> >
> > And the semanage permissive code already has to invoke a helper program
> > to compile the policy module from source to binary, at least today, so
> > it isn't much different to invoke semodule to install the binary module.
> >
> > Then there is the issue of being able to run the semodule stage of
> > processing in a separate domain, although at present semanage and
> > semodule operate in the same domain so it makes no difference at
> > present.
> >
>
> Maybe its just personal preference but I see using library interfaces
> as much more clean than invoking semodule and grepping. semanage
> already uses the library interfaces for everything else so this would
> be the one case where it doesn't. He already fixed it up to use the
> interfaces so its moot at this point.
Well, it doesn't have to be moot - we can always take the first
implementation if we think it best. But I'm not fundamentally opposed
to the latter approach, just wanted to explore the rationale. One thing
I would note however is that I see lack of complete error return
checking in the new code that would have been properly checked by
semodule...
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: This patch adds permissive to semanage
2008-07-02 13:17 ` Stephen Smalley
@ 2008-07-02 13:37 ` Joshua Brindle
2008-07-02 14:29 ` Stephen Smalley
0 siblings, 1 reply; 15+ messages in thread
From: Joshua Brindle @ 2008-07-02 13:37 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Daniel J Walsh, SE Linux
Stephen Smalley wrote:
> On Wed, 2008-07-02 at 09:09 -0400, Joshua Brindle wrote:
>> Stephen Smalley wrote:
>>> On Mon, 2008-06-30 at 13:58 -0400, Joshua Brindle wrote:
>>>> Daniel J Walsh wrote:
>>>>> Gives users the ability to set a domain as permissive
>>>>>
>>>>>
>>>>> semanage permissive -a http_t
>>>>>
>>>>> It created a policy module named permissive_httpd_t.pp with the
>>>>> permissive call.
>>>>>
>>>> So, a really quick glance brings up a couple issues. First you have '-n', '--noheading' which aren't documented in the man page or elsewhere. Second (and more importantly) why are you executing semodule like that? libsemanage is the library that manages modules, and also the library used by semanage for everything else.
>>>>
>>>> I would prefer a more 'pure' approach where we keep a list of
>>>> permissive types and inject them into the kernel policy after linking
>>>> (like libsemanage does with users, ports, nodes, etc) but I understand
>>>> that adding a whole new set of databases and interfaces is both
>>>> annoying and time consuming so I'm fine with it working on modules,
>>>> I'd just like to see it using libsemanage interfaces instead of
>>>> calling semodule.
>>> Why do you see direct use of the libsemanage interfaces as preferable to
>>> invoking semodule (aside from performance, and this isn't really
>>> performance critical)?
>>>
>>> I'm unclear on the tradeoff being made there, as composing small
>>> programs together to perform more complex operation is the Unix (tm)
>>> way ;)
>>>
>>> The advantage of just invoking semodule is that semodule is already a
>>> well-tested program that performs that function well, does proper error
>>> checking and handling of the various libsemanage calls, etc. And if we
>>> later fix a bug or introduce new functionality there, we only have to do
>>> it once vs. in multiple places.
>>>
>>> And the semanage permissive code already has to invoke a helper program
>>> to compile the policy module from source to binary, at least today, so
>>> it isn't much different to invoke semodule to install the binary module.
>>>
>>> Then there is the issue of being able to run the semodule stage of
>>> processing in a separate domain, although at present semanage and
>>> semodule operate in the same domain so it makes no difference at
>>> present.
>>>
>> Maybe its just personal preference but I see using library interfaces
>> as much more clean than invoking semodule and grepping. semanage
>> already uses the library interfaces for everything else so this would
>> be the one case where it doesn't. He already fixed it up to use the
>> interfaces so its moot at this point.
>
> Well, it doesn't have to be moot - we can always take the first
> implementation if we think it best. But I'm not fundamentally opposed
> to the latter approach, just wanted to explore the rationale. One thing
> I would note however is that I see lack of complete error return
> checking in the new code that would have been properly checked by
> semodule...
>
I'll fix the error checking in the second patch if you are fine with it otherwise. I just think the library is there for a reason, if we didn't want client programs using it we should have just built it into the application code. Feel free to veto me here if my rationale is weak (as it likely is).
Maybe deep down inside I'm just not a unix programmer ;)
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: This patch adds permissive to semanage
2008-07-02 13:37 ` Joshua Brindle
@ 2008-07-02 14:29 ` Stephen Smalley
2008-07-02 18:09 ` Daniel J Walsh
2008-07-02 19:06 ` Joshua Brindle
0 siblings, 2 replies; 15+ messages in thread
From: Stephen Smalley @ 2008-07-02 14:29 UTC (permalink / raw)
To: Joshua Brindle; +Cc: Daniel J Walsh, SE Linux
On Wed, 2008-07-02 at 09:37 -0400, Joshua Brindle wrote:
> Stephen Smalley wrote:
> > On Wed, 2008-07-02 at 09:09 -0400, Joshua Brindle wrote:
> >> Stephen Smalley wrote:
> >>> On Mon, 2008-06-30 at 13:58 -0400, Joshua Brindle wrote:
> >>>> Daniel J Walsh wrote:
> >>>>> Gives users the ability to set a domain as permissive
> >>>>>
> >>>>>
> >>>>> semanage permissive -a http_t
> >>>>>
> >>>>> It created a policy module named permissive_httpd_t.pp with the
> >>>>> permissive call.
> >>>>>
> >>>> So, a really quick glance brings up a couple issues. First you have '-n', '--noheading' which aren't documented in the man page or elsewhere. Second (and more importantly) why are you executing semodule like that? libsemanage is the library that manages modules, and also the library used by semanage for everything else.
> >>>>
> >>>> I would prefer a more 'pure' approach where we keep a list of
> >>>> permissive types and inject them into the kernel policy after linking
> >>>> (like libsemanage does with users, ports, nodes, etc) but I understand
> >>>> that adding a whole new set of databases and interfaces is both
> >>>> annoying and time consuming so I'm fine with it working on modules,
> >>>> I'd just like to see it using libsemanage interfaces instead of
> >>>> calling semodule.
> >>> Why do you see direct use of the libsemanage interfaces as preferable to
> >>> invoking semodule (aside from performance, and this isn't really
> >>> performance critical)?
> >>>
> >>> I'm unclear on the tradeoff being made there, as composing small
> >>> programs together to perform more complex operation is the Unix (tm)
> >>> way ;)
> >>>
> >>> The advantage of just invoking semodule is that semodule is already a
> >>> well-tested program that performs that function well, does proper error
> >>> checking and handling of the various libsemanage calls, etc. And if we
> >>> later fix a bug or introduce new functionality there, we only have to do
> >>> it once vs. in multiple places.
> >>>
> >>> And the semanage permissive code already has to invoke a helper program
> >>> to compile the policy module from source to binary, at least today, so
> >>> it isn't much different to invoke semodule to install the binary module.
> >>>
> >>> Then there is the issue of being able to run the semodule stage of
> >>> processing in a separate domain, although at present semanage and
> >>> semodule operate in the same domain so it makes no difference at
> >>> present.
> >>>
> >> Maybe its just personal preference but I see using library interfaces
> >> as much more clean than invoking semodule and grepping. semanage
> >> already uses the library interfaces for everything else so this would
> >> be the one case where it doesn't. He already fixed it up to use the
> >> interfaces so its moot at this point.
> >
> > Well, it doesn't have to be moot - we can always take the first
> > implementation if we think it best. But I'm not fundamentally opposed
> > to the latter approach, just wanted to explore the rationale. One thing
> > I would note however is that I see lack of complete error return
> > checking in the new code that would have been properly checked by
> > semodule...
> >
>
> I'll fix the error checking in the second patch if you are fine with it otherwise. I just think the library is there for a reason, if we didn't want client programs using it we should have just built it into the application code. Feel free to veto me here if my rationale is weak (as it likely is).
>
> Maybe deep down inside I'm just not a unix programmer ;)
Ok, that's fine with me.
Maybe my own bias is just against python code compared to good olde C
programs!
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: This patch adds permissive to semanage
2008-07-02 13:09 ` Joshua Brindle
2008-07-02 13:17 ` Stephen Smalley
@ 2008-07-02 18:07 ` Daniel J Walsh
1 sibling, 0 replies; 15+ messages in thread
From: Daniel J Walsh @ 2008-07-02 18:07 UTC (permalink / raw)
To: Joshua Brindle; +Cc: Stephen Smalley, SE Linux
Joshua Brindle wrote:
> Stephen Smalley wrote:
>> On Mon, 2008-06-30 at 13:58 -0400, Joshua Brindle wrote:
>>> Daniel J Walsh wrote:
>>>> Gives users the ability to set a domain as permissive
>>>>
>>>>
>>>> semanage permissive -a http_t
>>>>
>>>> It created a policy module named permissive_httpd_t.pp with the
>>>> permissive call.
>>>>
>>> So, a really quick glance brings up a couple issues. First you have '-n', '--noheading' which aren't documented in the man page or elsewhere. Second (and more importantly) why are you executing semodule like that? libsemanage is the library that manages modules, and also the library used by semanage for everything else.
>>>
>>> I would prefer a more 'pure' approach where we keep a list of
>>> permissive types and inject them into the kernel policy after linking
>>> (like libsemanage does with users, ports, nodes, etc) but I understand
>>> that adding a whole new set of databases and interfaces is both
>>> annoying and time consuming so I'm fine with it working on modules,
>>> I'd just like to see it using libsemanage interfaces instead of
>>> calling semodule.
>> Why do you see direct use of the libsemanage interfaces as preferable to
>> invoking semodule (aside from performance, and this isn't really
>> performance critical)?
>>
>> I'm unclear on the tradeoff being made there, as composing small
>> programs together to perform more complex operation is the Unix (tm)
>> way ;)
>>
>> The advantage of just invoking semodule is that semodule is already a
>> well-tested program that performs that function well, does proper error
>> checking and handling of the various libsemanage calls, etc. And if we
>> later fix a bug or introduce new functionality there, we only have to do
>> it once vs. in multiple places.
>>
>> And the semanage permissive code already has to invoke a helper program
>> to compile the policy module from source to binary, at least today, so
>> it isn't much different to invoke semodule to install the binary module.
>>
>> Then there is the issue of being able to run the semodule stage of
>> processing in a separate domain, although at present semanage and
>> semodule operate in the same domain so it makes no difference at
>> present.
>>
>
> Maybe its just personal preference but I see using library interfaces as much more clean than invoking semodule and grepping. semanage already uses the library interfaces for everything else so this would be the one case where it doesn't. He already fixed it up to use the interfaces so its moot at this point.
>
One good reason to do it is to test the interfaces or at least the
python interfaces to make sure they work. I was pleasantly surprised
when they did. Although the semodule -l interface is particularly hideous.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: This patch adds permissive to semanage
2008-07-02 14:29 ` Stephen Smalley
@ 2008-07-02 18:09 ` Daniel J Walsh
2008-07-02 19:06 ` Joshua Brindle
1 sibling, 0 replies; 15+ messages in thread
From: Daniel J Walsh @ 2008-07-02 18:09 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Joshua Brindle, SE Linux
Stephen Smalley wrote:
> On Wed, 2008-07-02 at 09:37 -0400, Joshua Brindle wrote:
>> Stephen Smalley wrote:
>>> On Wed, 2008-07-02 at 09:09 -0400, Joshua Brindle wrote:
>>>> Stephen Smalley wrote:
>>>>> On Mon, 2008-06-30 at 13:58 -0400, Joshua Brindle wrote:
>>>>>> Daniel J Walsh wrote:
>>>>>>> Gives users the ability to set a domain as permissive
>>>>>>>
>>>>>>>
>>>>>>> semanage permissive -a http_t
>>>>>>>
>>>>>>> It created a policy module named permissive_httpd_t.pp with the
>>>>>>> permissive call.
>>>>>>>
>>>>>> So, a really quick glance brings up a couple issues. First you have '-n', '--noheading' which aren't documented in the man page or elsewhere. Second (and more importantly) why are you executing semodule like that? libsemanage is the library that manages modules, and also the library used by semanage for everything else.
>>>>>>
>>>>>> I would prefer a more 'pure' approach where we keep a list of
>>>>>> permissive types and inject them into the kernel policy after linking
>>>>>> (like libsemanage does with users, ports, nodes, etc) but I understand
>>>>>> that adding a whole new set of databases and interfaces is both
>>>>>> annoying and time consuming so I'm fine with it working on modules,
>>>>>> I'd just like to see it using libsemanage interfaces instead of
>>>>>> calling semodule.
>>>>> Why do you see direct use of the libsemanage interfaces as preferable to
>>>>> invoking semodule (aside from performance, and this isn't really
>>>>> performance critical)?
>>>>>
>>>>> I'm unclear on the tradeoff being made there, as composing small
>>>>> programs together to perform more complex operation is the Unix (tm)
>>>>> way ;)
>>>>>
>>>>> The advantage of just invoking semodule is that semodule is already a
>>>>> well-tested program that performs that function well, does proper error
>>>>> checking and handling of the various libsemanage calls, etc. And if we
>>>>> later fix a bug or introduce new functionality there, we only have to do
>>>>> it once vs. in multiple places.
>>>>>
>>>>> And the semanage permissive code already has to invoke a helper program
>>>>> to compile the policy module from source to binary, at least today, so
>>>>> it isn't much different to invoke semodule to install the binary module.
>>>>>
>>>>> Then there is the issue of being able to run the semodule stage of
>>>>> processing in a separate domain, although at present semanage and
>>>>> semodule operate in the same domain so it makes no difference at
>>>>> present.
>>>>>
>>>> Maybe its just personal preference but I see using library interfaces
>>>> as much more clean than invoking semodule and grepping. semanage
>>>> already uses the library interfaces for everything else so this would
>>>> be the one case where it doesn't. He already fixed it up to use the
>>>> interfaces so its moot at this point.
>>> Well, it doesn't have to be moot - we can always take the first
>>> implementation if we think it best. But I'm not fundamentally opposed
>>> to the latter approach, just wanted to explore the rationale. One thing
>>> I would note however is that I see lack of complete error return
>>> checking in the new code that would have been properly checked by
>>> semodule...
>>>
>> I'll fix the error checking in the second patch if you are fine with it otherwise. I just think the library is there for a reason, if we didn't want client programs using it we should have just built it into the application code. Feel free to veto me here if my rationale is weak (as it likely is).
>>
>> Maybe deep down inside I'm just not a unix programmer ;)
>
> Ok, that's fine with me.
>
> Maybe my own bias is just against python code compared to good olde C
> programs!
>
C is the language of the devil. :^)
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: This patch adds permissive to semanage
2008-07-02 14:29 ` Stephen Smalley
2008-07-02 18:09 ` Daniel J Walsh
@ 2008-07-02 19:06 ` Joshua Brindle
2008-07-02 19:13 ` Stephen Smalley
1 sibling, 1 reply; 15+ messages in thread
From: Joshua Brindle @ 2008-07-02 19:06 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Daniel J Walsh, SE Linux
Stephen Smalley wrote:
> On Wed, 2008-07-02 at 09:37 -0400, Joshua Brindle wrote:
>> Stephen Smalley wrote:
>>> On Wed, 2008-07-02 at 09:09 -0400, Joshua Brindle wrote:
>>>> Stephen Smalley wrote:
>>>>> On Mon, 2008-06-30 at 13:58 -0400, Joshua Brindle wrote:
>>>>>> Daniel J Walsh wrote:
>>>>>>> Gives users the ability to set a domain as permissive
>>>>>>>
>>>>>>>
>>>>>>> semanage permissive -a http_t
>>>>>>>
>>>>>>> It created a policy module named permissive_httpd_t.pp with the
>>>>>>> permissive call.
>>>>>>>
>>>>>> So, a really quick glance brings up a couple issues. First you have '-n', '--noheading' which aren't documented in the man page or elsewhere. Second (and more importantly) why are you executing semodule like that? libsemanage is the library that manages modules, and also the library used by semanage for everything else.
>>>>>>
>>>>>> I would prefer a more 'pure' approach where we keep a list of
>>>>>> permissive types and inject them into the kernel policy after linking
>>>>>> (like libsemanage does with users, ports, nodes, etc) but I understand
>>>>>> that adding a whole new set of databases and interfaces is both
>>>>>> annoying and time consuming so I'm fine with it working on modules,
>>>>>> I'd just like to see it using libsemanage interfaces instead of
>>>>>> calling semodule.
>>>>> Why do you see direct use of the libsemanage interfaces as preferable to
>>>>> invoking semodule (aside from performance, and this isn't really
>>>>> performance critical)?
>>>>>
>>>>> I'm unclear on the tradeoff being made there, as composing small
>>>>> programs together to perform more complex operation is the Unix (tm)
>>>>> way ;)
>>>>>
>>>>> The advantage of just invoking semodule is that semodule is already a
>>>>> well-tested program that performs that function well, does proper error
>>>>> checking and handling of the various libsemanage calls, etc. And if we
>>>>> later fix a bug or introduce new functionality there, we only have to do
>>>>> it once vs. in multiple places.
>>>>>
>>>>> And the semanage permissive code already has to invoke a helper program
>>>>> to compile the policy module from source to binary, at least today, so
>>>>> it isn't much different to invoke semodule to install the binary module.
>>>>>
>>>>> Then there is the issue of being able to run the semodule stage of
>>>>> processing in a separate domain, although at present semanage and
>>>>> semodule operate in the same domain so it makes no difference at
>>>>> present.
>>>>>
>>>> Maybe its just personal preference but I see using library interfaces
>>>> as much more clean than invoking semodule and grepping. semanage
>>>> already uses the library interfaces for everything else so this would
>>>> be the one case where it doesn't. He already fixed it up to use the
>>>> interfaces so its moot at this point.
>>> Well, it doesn't have to be moot - we can always take the first
>>> implementation if we think it best. But I'm not fundamentally opposed
>>> to the latter approach, just wanted to explore the rationale. One thing
>>> I would note however is that I see lack of complete error return
>>> checking in the new code that would have been properly checked by
>>> semodule...
>>>
>> I'll fix the error checking in the second patch if you are fine with it otherwise. I just think the library is there for a reason, if we didn't want client programs using it we should have just built it into the application code. Feel free to veto me here if my rationale is weak (as it likely is).
>>
>> Maybe deep down inside I'm just not a unix programmer ;)
>
> Ok, that's fine with me.
>
> Maybe my own bias is just against python code compared to good olde C
> programs!
>
Updated patch, unrelated things removed and error checking paths fixed up.
-----
Index: policycoreutils/semanage/semanage
===================================================================
--- policycoreutils/semanage/semanage (revision 2920)
+++ policycoreutils/semanage/semanage (working copy)
@@ -52,6 +52,7 @@
semanage fcontext -{a|d|m} [-frst] file_spec
semanage translation -{a|d|m} [-T] level
semanage boolean -{d|m} boolean
+semanage permissive -{d|a} type
Primary Options:
@@ -114,6 +115,8 @@
valid_option["translation"] += valid_everyone + [ '-T', '--trans' ]
valid_option["boolean"] = []
valid_option["boolean"] += valid_everyone + [ '--on', "--off", "-1", "-0" ]
+ valid_option["permissive"] = []
+ valid_option["permissive"] += [ '-a', '--add', '-d', '--delete', '-l', '--list', '-h', '--help', '-n', '--noheading', '-D', '--deleteall' ]
return valid_option
#
@@ -268,6 +271,9 @@
if object == "translation":
OBJECT = seobject.setransRecords()
+ if object == "permissive":
+ OBJECT = seobject.permissiveRecords(store)
+
if list:
OBJECT.list(heading, locallist)
sys.exit(0);
@@ -304,6 +310,9 @@
if object == "fcontext":
OBJECT.add(target, setype, ftype, serange, seuser)
+ if object == "permissive":
+ OBJECT.add(target)
+
sys.exit(0);
if modify:
Index: policycoreutils/semanage/seobject.py
===================================================================
--- policycoreutils/semanage/seobject.py (revision 2917)
+++ policycoreutils/semanage/seobject.py (working copy)
@@ -1,5 +1,5 @@
#! /usr/bin/python -E
-# Copyright (C) 2005, 2006, 2007 Red Hat
+# Copyright (C) 2005, 2006, 2007, 2008 Red Hat
# see file 'COPYING' for use and warranty information
#
# semanage is a tool for managing SELinux configuration files
@@ -24,7 +24,9 @@
import pwd, string, selinux, tempfile, os, re, sys
from semanage import *;
PROGNAME="policycoreutils"
+import sepolgen.module as module
+import commands
import gettext
gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
gettext.textdomain(PROGNAME)
@@ -246,7 +248,108 @@
os.close(fd)
os.rename(newfilename, self.filename)
os.system("/sbin/service mcstrans reload > /dev/null")
-
+
+class permissiveRecords:
+ def __init__(self, store):
+ self.store = store
+ self.sh = semanage_handle_create()
+ if not self.sh:
+ raise ValueError(_("Could not create semanage handle"))
+
+ if store != "":
+ semanage_select_store(self.sh, store, SEMANAGE_CON_DIRECT);
+
+ self.semanaged = semanage_is_managed(self.sh)
+
+ if not self.semanaged:
+ semanage_handle_destroy(self.sh)
+ raise ValueError(_("SELinux policy is not managed or store cannot be accessed."))
+
+ rc = semanage_access_check(self.sh)
+ if rc < SEMANAGE_CAN_READ:
+ semanage_handle_destroy(self.sh)
+ raise ValueError(_("Cannot read policy store."))
+
+ rc = semanage_connect(self.sh)
+ if rc < 0:
+ semanage_handle_destroy(self.sh)
+ raise ValueError(_("Could not establish semanage connection"))
+
+ def get_all(self):
+ l = []
+ (rc, mlist, number) = semanage_module_list(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not list SELinux modules"))
+
+ for i in range(number):
+ mod = semanage_module_list_nth(mlist, i)
+ name = semanage_module_get_name(mod)
+ if name and name.startswith("permissive_"):
+ l.append(name.split("permissive_")[1])
+ return l
+
+ def list(self,heading = 1, locallist = 0):
+ if heading:
+ print "\n%-25s\n" % (_("Permissive Types"))
+ for t in self.get_all():
+ print t
+
+
+ def add(self, type):
+ name = "permissive_%s" % type
+ dirname = "/var/lib/selinux"
+ os.chdir(dirname)
+ filename = "%s.te" % name
+ modtxt = """
+module %s 1.0;
+
+require {
+ type %s;
+}
+
+permissive %s;
+""" % (name, type, type)
+ fd = open(filename,'w')
+ fd.write(modtxt)
+ fd.close()
+ mc = module.ModuleCompiler()
+ mc.create_module_package(filename, 1)
+ fd = open("permissive_%s.pp" % type)
+ data = fd.read()
+ fd.close()
+
+ rc = semanage_module_install(self.sh, data, len(data));
+ if rc < 0:
+ raise ValueError(_("Could not set permissive domain %s (module installation failed)") % name)
+ rc = semanage_commit(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not set permissive domain %s (commit failed)") % name)
+ for root, dirs, files in os.walk("tmp", topdown=False):
+ for name in files:
+ os.remove(os.path.join(root, name))
+ for name in dirs:
+ os.rmdir(os.path.join(root, name))
+
+ if rc != 0:
+ raise ValueError(out)
+
+
+ def delete(self, name):
+ for n in name.split():
+ rc = semanage_module_remove(self.sh, "permissive_%s" % n)
+ if rc < 0:
+ raise ValueError(_("Could not remove permissive domain %s (remove failed)") % name)
+ rc = semanage_commit(self.sh)
+ if rc < 0:
+ raise ValueError(_("Could not remove permissive domain %s (commit failed)") % name)
+
+
+ def deleteall(self):
+ l = self.get_all()
+ if len(l) > 0:
+ all = " ".join(l)
+ self.delete(all)
+
class semanageRecords:
def __init__(self, store):
self.sh = semanage_handle_create()
Index: policycoreutils/semanage/semanage.8
===================================================================
--- policycoreutils/semanage/semanage.8 (revision 2917)
+++ policycoreutils/semanage/semanage.8 (working copy)
@@ -17,6 +17,8 @@
.br
.B semanage fcontext \-{a|d|m} [\-frst] file_spec
.br
+.B semanage permissive \-{a|d} type
+.br
.B semanage translation \-{a|d|m} [\-T] level
.P
@@ -101,10 +103,11 @@
$ semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
# Allow Apache to listen on port 81
$ semanage port -a -t http_port_t -p tcp 81
+# Change apache to a permissive domain
+$ semanage permissive -a http_t
.fi
.SH "AUTHOR"
This man page was written by Daniel Walsh <dwalsh@redhat.com> and
Russell Coker <rcoker@redhat.com>.
Examples by Thomas Bleher <ThomasBleher@gmx.de>.
-
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: This patch adds permissive to semanage
2008-07-02 19:06 ` Joshua Brindle
@ 2008-07-02 19:13 ` Stephen Smalley
2008-07-02 19:22 ` Joshua Brindle
0 siblings, 1 reply; 15+ messages in thread
From: Stephen Smalley @ 2008-07-02 19:13 UTC (permalink / raw)
To: Joshua Brindle; +Cc: Daniel J Walsh, SE Linux
On Wed, 2008-07-02 at 15:06 -0400, Joshua Brindle wrote:
> Stephen Smalley wrote:
> > On Wed, 2008-07-02 at 09:37 -0400, Joshua Brindle wrote:
> >> Stephen Smalley wrote:
> >>> On Wed, 2008-07-02 at 09:09 -0400, Joshua Brindle wrote:
> >>>> Stephen Smalley wrote:
> >>>>> On Mon, 2008-06-30 at 13:58 -0400, Joshua Brindle wrote:
> >>>>>> Daniel J Walsh wrote:
> >>>>>>> Gives users the ability to set a domain as permissive
> >>>>>>>
> >>>>>>>
> >>>>>>> semanage permissive -a http_t
> >>>>>>>
> >>>>>>> It created a policy module named permissive_httpd_t.pp with the
> >>>>>>> permissive call.
> >>>>>>>
> >>>>>> So, a really quick glance brings up a couple issues. First you have '-n', '--noheading' which aren't documented in the man page or elsewhere. Second (and more importantly) why are you executing semodule like that? libsemanage is the library that manages modules, and also the library used by semanage for everything else.
> >>>>>>
> >>>>>> I would prefer a more 'pure' approach where we keep a list of
> >>>>>> permissive types and inject them into the kernel policy after linking
> >>>>>> (like libsemanage does with users, ports, nodes, etc) but I understand
> >>>>>> that adding a whole new set of databases and interfaces is both
> >>>>>> annoying and time consuming so I'm fine with it working on modules,
> >>>>>> I'd just like to see it using libsemanage interfaces instead of
> >>>>>> calling semodule.
> >>>>> Why do you see direct use of the libsemanage interfaces as preferable to
> >>>>> invoking semodule (aside from performance, and this isn't really
> >>>>> performance critical)?
> >>>>>
> >>>>> I'm unclear on the tradeoff being made there, as composing small
> >>>>> programs together to perform more complex operation is the Unix (tm)
> >>>>> way ;)
> >>>>>
> >>>>> The advantage of just invoking semodule is that semodule is already a
> >>>>> well-tested program that performs that function well, does proper error
> >>>>> checking and handling of the various libsemanage calls, etc. And if we
> >>>>> later fix a bug or introduce new functionality there, we only have to do
> >>>>> it once vs. in multiple places.
> >>>>>
> >>>>> And the semanage permissive code already has to invoke a helper program
> >>>>> to compile the policy module from source to binary, at least today, so
> >>>>> it isn't much different to invoke semodule to install the binary module.
> >>>>>
> >>>>> Then there is the issue of being able to run the semodule stage of
> >>>>> processing in a separate domain, although at present semanage and
> >>>>> semodule operate in the same domain so it makes no difference at
> >>>>> present.
> >>>>>
> >>>> Maybe its just personal preference but I see using library interfaces
> >>>> as much more clean than invoking semodule and grepping. semanage
> >>>> already uses the library interfaces for everything else so this would
> >>>> be the one case where it doesn't. He already fixed it up to use the
> >>>> interfaces so its moot at this point.
> >>> Well, it doesn't have to be moot - we can always take the first
> >>> implementation if we think it best. But I'm not fundamentally opposed
> >>> to the latter approach, just wanted to explore the rationale. One thing
> >>> I would note however is that I see lack of complete error return
> >>> checking in the new code that would have been properly checked by
> >>> semodule...
> >>>
> >> I'll fix the error checking in the second patch if you are fine with it otherwise. I just think the library is there for a reason, if we didn't want client programs using it we should have just built it into the application code. Feel free to veto me here if my rationale is weak (as it likely is).
> >>
> >> Maybe deep down inside I'm just not a unix programmer ;)
> >
> > Ok, that's fine with me.
> >
> > Maybe my own bias is just against python code compared to good olde C
> > programs!
> >
>
> Updated patch, unrelated things removed and error checking paths fixed up.
>
> -----
> Index: policycoreutils/semanage/seobject.py
> ===================================================================
> --- policycoreutils/semanage/seobject.py (revision 2917)
> +++ policycoreutils/semanage/seobject.py (working copy)
> @@ -246,7 +248,108 @@
<snip>
> + def add(self, type):
> + name = "permissive_%s" % type
> + dirname = "/var/lib/selinux"
> + os.chdir(dirname)
Not new to the updated patch, but this can fail.
> + filename = "%s.te" % name
> + modtxt = """
> +module %s 1.0;
> +
> +require {
> + type %s;
> +}
> +
> +permissive %s;
> +""" % (name, type, type)
> + fd = open(filename,'w')
Can fail.
> + fd.write(modtxt)
Can fail.
> + fd.close()
Can fail.
> + mc = module.ModuleCompiler()
> + mc.create_module_package(filename, 1)
Can fail?
> + fd = open("permissive_%s.pp" % type)
Can fail.
> + data = fd.read()
> + fd.close()
> +
> + rc = semanage_module_install(self.sh, data, len(data));
> + if rc < 0:
> + raise ValueError(_("Could not set permissive domain %s (module installation failed)") % name)
> + rc = semanage_commit(self.sh)
> + if rc < 0:
> + raise ValueError(_("Could not set permissive domain %s (commit failed)") % name)
> + for root, dirs, files in os.walk("tmp", topdown=False):
> + for name in files:
> + os.remove(os.path.join(root, name))
> + for name in dirs:
> + os.rmdir(os.path.join(root, name))
No recursive removal function in python?
Do we need full pathnames here vs. relative ones?
> Index: policycoreutils/semanage/semanage.8
> ===================================================================
> --- policycoreutils/semanage/semanage.8 (revision 2917)
> +++ policycoreutils/semanage/semanage.8 (working copy)
> @@ -17,6 +17,8 @@
> .br
> .B semanage fcontext \-{a|d|m} [\-frst] file_spec
> .br
> +.B semanage permissive \-{a|d} type
> +.br
> .B semanage translation \-{a|d|m} [\-T] level
> .P
>
> @@ -101,10 +103,11 @@
> $ semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
> # Allow Apache to listen on port 81
> $ semanage port -a -t http_port_t -p tcp 81
> +# Change apache to a permissive domain
> +$ semanage permissive -a http_t
Typo: should be httpd_t, IIRC.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: This patch adds permissive to semanage
2008-07-02 19:13 ` Stephen Smalley
@ 2008-07-02 19:22 ` Joshua Brindle
2008-07-02 19:25 ` Stephen Smalley
0 siblings, 1 reply; 15+ messages in thread
From: Joshua Brindle @ 2008-07-02 19:22 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Daniel J Walsh, SE Linux
Stephen Smalley wrote:
> On Wed, 2008-07-02 at 15:06 -0400, Joshua Brindle wrote:
>> Stephen Smalley wrote:
>>> On Wed, 2008-07-02 at 09:37 -0400, Joshua Brindle wrote:
>>>> Stephen Smalley wrote:
>>>>> On Wed, 2008-07-02 at 09:09 -0400, Joshua Brindle wrote:
>>>>>> Stephen Smalley wrote:
>>>>>>> On Mon, 2008-06-30 at 13:58 -0400, Joshua Brindle wrote:
>>>>>>>> Daniel J Walsh wrote:
>>>>>>>>> Gives users the ability to set a domain as permissive
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> semanage permissive -a http_t
>>>>>>>>>
>>>>>>>>> It created a policy module named permissive_httpd_t.pp with the
>>>>>>>>> permissive call.
>>>>>>>>>
>>>>>>>> So, a really quick glance brings up a couple issues. First you have '-n', '--noheading' which aren't documented in the man page or elsewhere. Second (and more importantly) why are you executing semodule like that? libsemanage is the library that manages modules, and also the library used by semanage for everything else.
>>>>>>>>
>>>>>>>> I would prefer a more 'pure' approach where we keep a list of
>>>>>>>> permissive types and inject them into the kernel policy after linking
>>>>>>>> (like libsemanage does with users, ports, nodes, etc) but I understand
>>>>>>>> that adding a whole new set of databases and interfaces is both
>>>>>>>> annoying and time consuming so I'm fine with it working on modules,
>>>>>>>> I'd just like to see it using libsemanage interfaces instead of
>>>>>>>> calling semodule.
>>>>>>> Why do you see direct use of the libsemanage interfaces as preferable to
>>>>>>> invoking semodule (aside from performance, and this isn't really
>>>>>>> performance critical)?
>>>>>>>
>>>>>>> I'm unclear on the tradeoff being made there, as composing small
>>>>>>> programs together to perform more complex operation is the Unix (tm)
>>>>>>> way ;)
>>>>>>>
>>>>>>> The advantage of just invoking semodule is that semodule is already a
>>>>>>> well-tested program that performs that function well, does proper error
>>>>>>> checking and handling of the various libsemanage calls, etc. And if we
>>>>>>> later fix a bug or introduce new functionality there, we only have to do
>>>>>>> it once vs. in multiple places.
>>>>>>>
>>>>>>> And the semanage permissive code already has to invoke a helper program
>>>>>>> to compile the policy module from source to binary, at least today, so
>>>>>>> it isn't much different to invoke semodule to install the binary module.
>>>>>>>
>>>>>>> Then there is the issue of being able to run the semodule stage of
>>>>>>> processing in a separate domain, although at present semanage and
>>>>>>> semodule operate in the same domain so it makes no difference at
>>>>>>> present.
>>>>>>>
>>>>>> Maybe its just personal preference but I see using library interfaces
>>>>>> as much more clean than invoking semodule and grepping. semanage
>>>>>> already uses the library interfaces for everything else so this would
>>>>>> be the one case where it doesn't. He already fixed it up to use the
>>>>>> interfaces so its moot at this point.
>>>>> Well, it doesn't have to be moot - we can always take the first
>>>>> implementation if we think it best. But I'm not fundamentally opposed
>>>>> to the latter approach, just wanted to explore the rationale. One thing
>>>>> I would note however is that I see lack of complete error return
>>>>> checking in the new code that would have been properly checked by
>>>>> semodule...
>>>>>
>>>> I'll fix the error checking in the second patch if you are fine with it otherwise. I just think the library is there for a reason, if we didn't want client programs using it we should have just built it into the application code. Feel free to veto me here if my rationale is weak (as it likely is).
>>>>
>>>> Maybe deep down inside I'm just not a unix programmer ;)
>>> Ok, that's fine with me.
>>>
>>> Maybe my own bias is just against python code compared to good olde C
>>> programs!
>>>
>> Updated patch, unrelated things removed and error checking paths fixed up.
>>
>> -----
>
>> Index: policycoreutils/semanage/seobject.py
>> ===================================================================
>> --- policycoreutils/semanage/seobject.py (revision 2917)
>> +++ policycoreutils/semanage/seobject.py (working copy)
>> @@ -246,7 +248,108 @@
> <snip>
>> + def add(self, type):
>> + name = "permissive_%s" % type
>> + dirname = "/var/lib/selinux"
>> + os.chdir(dirname)
>
> Not new to the updated patch, but this can fail.
>
*sigh* I updated the libsemanage error paths anyway. AFAIK the os functions will throw if they fail and since nothing is done inside the store until the transaction has started there isn't any state to clean up so I'm not sure how important it is to do checks here. If you look at sepolgen you'll see the same kinds of things (open being called and no check for error condition, etc).
>> + filename = "%s.te" % name
>> + modtxt = """
>> +module %s 1.0;
>> +
>> +require {
>> + type %s;
>> +}
>> +
>> +permissive %s;
>> +""" % (name, type, type)
>> + fd = open(filename,'w')
>
> Can fail.
>
>> + fd.write(modtxt)
>
> Can fail.
>
>> + fd.close()
>
> Can fail.
>
>> + mc = module.ModuleCompiler()
>> + mc.create_module_package(filename, 1)
>
> Can fail?
>
>> + fd = open("permissive_%s.pp" % type)
>
> Can fail.
>
>> + data = fd.read()
>> + fd.close()
>> +
>> + rc = semanage_module_install(self.sh, data, len(data));
>> + if rc < 0:
>> + raise ValueError(_("Could not set permissive domain %s (module installation failed)") % name)
>> + rc = semanage_commit(self.sh)
>> + if rc < 0:
>> + raise ValueError(_("Could not set permissive domain %s (commit failed)") % name)
>> + for root, dirs, files in os.walk("tmp", topdown=False):
>> + for name in files:
>> + os.remove(os.path.join(root, name))
>> + for name in dirs:
>> + os.rmdir(os.path.join(root, name))
>
> No recursive removal function in python?
> Do we need full pathnames here vs. relative ones?
>
>> Index: policycoreutils/semanage/semanage.8
>> ===================================================================
>> --- policycoreutils/semanage/semanage.8 (revision 2917)
>> +++ policycoreutils/semanage/semanage.8 (working copy)
>> @@ -17,6 +17,8 @@
>> .br
>> .B semanage fcontext \-{a|d|m} [\-frst] file_spec
>> .br
>> +.B semanage permissive \-{a|d} type
>> +.br
>> .B semanage translation \-{a|d|m} [\-T] level
>> .P
>>
>> @@ -101,10 +103,11 @@
>> $ semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
>> # Allow Apache to listen on port 81
>> $ semanage port -a -t http_port_t -p tcp 81
>> +# Change apache to a permissive domain
>> +$ semanage permissive -a http_t
>
> Typo: should be httpd_t, IIRC.
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: This patch adds permissive to semanage
2008-07-02 19:22 ` Joshua Brindle
@ 2008-07-02 19:25 ` Stephen Smalley
2008-07-02 19:54 ` Joshua Brindle
0 siblings, 1 reply; 15+ messages in thread
From: Stephen Smalley @ 2008-07-02 19:25 UTC (permalink / raw)
To: Joshua Brindle; +Cc: Daniel J Walsh, SE Linux
On Wed, 2008-07-02 at 15:22 -0400, Joshua Brindle wrote:
> Stephen Smalley wrote:
> > On Wed, 2008-07-02 at 15:06 -0400, Joshua Brindle wrote:
> >> Stephen Smalley wrote:
> >>> On Wed, 2008-07-02 at 09:37 -0400, Joshua Brindle wrote:
> >>>> Stephen Smalley wrote:
> >>>>> On Wed, 2008-07-02 at 09:09 -0400, Joshua Brindle wrote:
> >>>>>> Stephen Smalley wrote:
> >>>>>>> On Mon, 2008-06-30 at 13:58 -0400, Joshua Brindle wrote:
> >>>>>>>> Daniel J Walsh wrote:
> >>>>>>>>> Gives users the ability to set a domain as permissive
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> semanage permissive -a http_t
> >>>>>>>>>
> >>>>>>>>> It created a policy module named permissive_httpd_t.pp with the
> >>>>>>>>> permissive call.
> >>>>>>>>>
> >>>>>>>> So, a really quick glance brings up a couple issues. First you have '-n', '--noheading' which aren't documented in the man page or elsewhere. Second (and more importantly) why are you executing semodule like that? libsemanage is the library that manages modules, and also the library used by semanage for everything else.
> >>>>>>>>
> >>>>>>>> I would prefer a more 'pure' approach where we keep a list of
> >>>>>>>> permissive types and inject them into the kernel policy after linking
> >>>>>>>> (like libsemanage does with users, ports, nodes, etc) but I understand
> >>>>>>>> that adding a whole new set of databases and interfaces is both
> >>>>>>>> annoying and time consuming so I'm fine with it working on modules,
> >>>>>>>> I'd just like to see it using libsemanage interfaces instead of
> >>>>>>>> calling semodule.
> >>>>>>> Why do you see direct use of the libsemanage interfaces as preferable to
> >>>>>>> invoking semodule (aside from performance, and this isn't really
> >>>>>>> performance critical)?
> >>>>>>>
> >>>>>>> I'm unclear on the tradeoff being made there, as composing small
> >>>>>>> programs together to perform more complex operation is the Unix (tm)
> >>>>>>> way ;)
> >>>>>>>
> >>>>>>> The advantage of just invoking semodule is that semodule is already a
> >>>>>>> well-tested program that performs that function well, does proper error
> >>>>>>> checking and handling of the various libsemanage calls, etc. And if we
> >>>>>>> later fix a bug or introduce new functionality there, we only have to do
> >>>>>>> it once vs. in multiple places.
> >>>>>>>
> >>>>>>> And the semanage permissive code already has to invoke a helper program
> >>>>>>> to compile the policy module from source to binary, at least today, so
> >>>>>>> it isn't much different to invoke semodule to install the binary module.
> >>>>>>>
> >>>>>>> Then there is the issue of being able to run the semodule stage of
> >>>>>>> processing in a separate domain, although at present semanage and
> >>>>>>> semodule operate in the same domain so it makes no difference at
> >>>>>>> present.
> >>>>>>>
> >>>>>> Maybe its just personal preference but I see using library interfaces
> >>>>>> as much more clean than invoking semodule and grepping. semanage
> >>>>>> already uses the library interfaces for everything else so this would
> >>>>>> be the one case where it doesn't. He already fixed it up to use the
> >>>>>> interfaces so its moot at this point.
> >>>>> Well, it doesn't have to be moot - we can always take the first
> >>>>> implementation if we think it best. But I'm not fundamentally opposed
> >>>>> to the latter approach, just wanted to explore the rationale. One thing
> >>>>> I would note however is that I see lack of complete error return
> >>>>> checking in the new code that would have been properly checked by
> >>>>> semodule...
> >>>>>
> >>>> I'll fix the error checking in the second patch if you are fine with it otherwise. I just think the library is there for a reason, if we didn't want client programs using it we should have just built it into the application code. Feel free to veto me here if my rationale is weak (as it likely is).
> >>>>
> >>>> Maybe deep down inside I'm just not a unix programmer ;)
> >>> Ok, that's fine with me.
> >>>
> >>> Maybe my own bias is just against python code compared to good olde C
> >>> programs!
> >>>
> >> Updated patch, unrelated things removed and error checking paths fixed up.
> >>
> >> -----
> >
> >> Index: policycoreutils/semanage/seobject.py
> >> ===================================================================
> >> --- policycoreutils/semanage/seobject.py (revision 2917)
> >> +++ policycoreutils/semanage/seobject.py (working copy)
> >> @@ -246,7 +248,108 @@
> > <snip>
> >> + def add(self, type):
> >> + name = "permissive_%s" % type
> >> + dirname = "/var/lib/selinux"
> >> + os.chdir(dirname)
> >
> > Not new to the updated patch, but this can fail.
> >
>
> *sigh* I updated the libsemanage error paths anyway. AFAIK the os
> functions will throw if they fail and since nothing is done inside the
> store until the transaction has started there isn't any state to clean
> up so I'm not sure how important it is to do checks here. If you look
> at sepolgen you'll see the same kinds of things (open being called and
> no check for error condition, etc).
Ok, fine. Then I guess you just need to fix the man page nit.
>
> >> + filename = "%s.te" % name
> >> + modtxt = """
> >> +module %s 1.0;
> >> +
> >> +require {
> >> + type %s;
> >> +}
> >> +
> >> +permissive %s;
> >> +""" % (name, type, type)
> >> + fd = open(filename,'w')
> >
> > Can fail.
> >
> >> + fd.write(modtxt)
> >
> > Can fail.
> >
> >> + fd.close()
> >
> > Can fail.
> >
> >> + mc = module.ModuleCompiler()
> >> + mc.create_module_package(filename, 1)
> >
> > Can fail?
> >
> >> + fd = open("permissive_%s.pp" % type)
> >
> > Can fail.
> >
> >> + data = fd.read()
> >> + fd.close()
> >> +
> >> + rc = semanage_module_install(self.sh, data, len(data));
> >> + if rc < 0:
> >> + raise ValueError(_("Could not set permissive domain %s (module installation failed)") % name)
> >> + rc = semanage_commit(self.sh)
> >> + if rc < 0:
> >> + raise ValueError(_("Could not set permissive domain %s (commit failed)") % name)
> >> + for root, dirs, files in os.walk("tmp", topdown=False):
> >> + for name in files:
> >> + os.remove(os.path.join(root, name))
> >> + for name in dirs:
> >> + os.rmdir(os.path.join(root, name))
> >
> > No recursive removal function in python?
> > Do we need full pathnames here vs. relative ones?
> >
> >> Index: policycoreutils/semanage/semanage.8
> >> ===================================================================
> >> --- policycoreutils/semanage/semanage.8 (revision 2917)
> >> +++ policycoreutils/semanage/semanage.8 (working copy)
> >> @@ -17,6 +17,8 @@
> >> .br
> >> .B semanage fcontext \-{a|d|m} [\-frst] file_spec
> >> .br
> >> +.B semanage permissive \-{a|d} type
> >> +.br
> >> .B semanage translation \-{a|d|m} [\-T] level
> >> .P
> >>
> >> @@ -101,10 +103,11 @@
> >> $ semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
> >> # Allow Apache to listen on port 81
> >> $ semanage port -a -t http_port_t -p tcp 81
> >> +# Change apache to a permissive domain
> >> +$ semanage permissive -a http_t
> >
> > Typo: should be httpd_t, IIRC.
> >
>
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: This patch adds permissive to semanage
2008-07-02 19:25 ` Stephen Smalley
@ 2008-07-02 19:54 ` Joshua Brindle
0 siblings, 0 replies; 15+ messages in thread
From: Joshua Brindle @ 2008-07-02 19:54 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Daniel J Walsh, SE Linux
Stephen Smalley wrote:
> On Wed, 2008-07-02 at 15:22 -0400, Joshua Brindle wrote:
>> Stephen Smalley wrote:
>>> On Wed, 2008-07-02 at 15:06 -0400, Joshua Brindle wrote:
>>>> Stephen Smalley wrote:
>>>>> On Wed, 2008-07-02 at 09:37 -0400, Joshua Brindle wrote:
>>>>>> Stephen Smalley wrote:
>>>>>>> On Wed, 2008-07-02 at 09:09 -0400, Joshua Brindle wrote:
>>>>>>>> Stephen Smalley wrote:
>>>>>>>>> On Mon, 2008-06-30 at 13:58 -0400, Joshua Brindle wrote:
>>>>>>>>>> Daniel J Walsh wrote:
>>>>>>>>>>> Gives users the ability to set a domain as permissive
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> semanage permissive -a http_t
>>>>>>>>>>>
>>>>>>>>>>> It created a policy module named permissive_httpd_t.pp with the
>>>>>>>>>>> permissive call.
>>>>>>>>>>>
>>>>>>>>>> So, a really quick glance brings up a couple issues. First you have '-n', '--noheading' which aren't documented in the man page or elsewhere. Second (and more importantly) why are you executing semodule like that? libsemanage is the library that manages modules, and also the library used by semanage for everything else.
>>>>>>>>>>
>>>>>>>>>> I would prefer a more 'pure' approach where we keep a list of
>>>>>>>>>> permissive types and inject them into the kernel policy after linking
>>>>>>>>>> (like libsemanage does with users, ports, nodes, etc) but I understand
>>>>>>>>>> that adding a whole new set of databases and interfaces is both
>>>>>>>>>> annoying and time consuming so I'm fine with it working on modules,
>>>>>>>>>> I'd just like to see it using libsemanage interfaces instead of
>>>>>>>>>> calling semodule.
>>>>>>>>> Why do you see direct use of the libsemanage interfaces as preferable to
>>>>>>>>> invoking semodule (aside from performance, and this isn't really
>>>>>>>>> performance critical)?
>>>>>>>>>
>>>>>>>>> I'm unclear on the tradeoff being made there, as composing small
>>>>>>>>> programs together to perform more complex operation is the Unix (tm)
>>>>>>>>> way ;)
>>>>>>>>>
>>>>>>>>> The advantage of just invoking semodule is that semodule is already a
>>>>>>>>> well-tested program that performs that function well, does proper error
>>>>>>>>> checking and handling of the various libsemanage calls, etc. And if we
>>>>>>>>> later fix a bug or introduce new functionality there, we only have to do
>>>>>>>>> it once vs. in multiple places.
>>>>>>>>>
>>>>>>>>> And the semanage permissive code already has to invoke a helper program
>>>>>>>>> to compile the policy module from source to binary, at least today, so
>>>>>>>>> it isn't much different to invoke semodule to install the binary module.
>>>>>>>>>
>>>>>>>>> Then there is the issue of being able to run the semodule stage of
>>>>>>>>> processing in a separate domain, although at present semanage and
>>>>>>>>> semodule operate in the same domain so it makes no difference at
>>>>>>>>> present.
>>>>>>>>>
>>>>>>>> Maybe its just personal preference but I see using library interfaces
>>>>>>>> as much more clean than invoking semodule and grepping. semanage
>>>>>>>> already uses the library interfaces for everything else so this would
>>>>>>>> be the one case where it doesn't. He already fixed it up to use the
>>>>>>>> interfaces so its moot at this point.
>>>>>>> Well, it doesn't have to be moot - we can always take the first
>>>>>>> implementation if we think it best. But I'm not fundamentally opposed
>>>>>>> to the latter approach, just wanted to explore the rationale. One thing
>>>>>>> I would note however is that I see lack of complete error return
>>>>>>> checking in the new code that would have been properly checked by
>>>>>>> semodule...
>>>>>>>
>>>>>> I'll fix the error checking in the second patch if you are fine with it otherwise. I just think the library is there for a reason, if we didn't want client programs using it we should have just built it into the application code. Feel free to veto me here if my rationale is weak (as it likely is).
>>>>>>
>>>>>> Maybe deep down inside I'm just not a unix programmer ;)
>>>>> Ok, that's fine with me.
>>>>>
>>>>> Maybe my own bias is just against python code compared to good olde C
>>>>> programs!
>>>>>
>>>> Updated patch, unrelated things removed and error checking paths fixed up.
>>>>
>>>> -----
>>>> Index: policycoreutils/semanage/seobject.py
>>>> ===================================================================
>>>> --- policycoreutils/semanage/seobject.py (revision 2917)
>>>> +++ policycoreutils/semanage/seobject.py (working copy)
>>>> @@ -246,7 +248,108 @@
>>> <snip>
>>>> + def add(self, type):
>>>> + name = "permissive_%s" % type
>>>> + dirname = "/var/lib/selinux"
>>>> + os.chdir(dirname)
>>> Not new to the updated patch, but this can fail.
>>>
>> *sigh* I updated the libsemanage error paths anyway. AFAIK the os
>> functions will throw if they fail and since nothing is done inside the
>> store until the transaction has started there isn't any state to clean
>> up so I'm not sure how important it is to do checks here. If you look
>> at sepolgen you'll see the same kinds of things (open being called and
>> no check for error condition, etc).
>
> Ok, fine. Then I guess you just need to fix the man page nit.
>
Merged into policycoreutils 2.0.52 with man page nit fixed.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2008-07-02 19:54 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-06-30 16:02 This patch adds permissive to semanage Daniel J Walsh
2008-06-30 17:58 ` Joshua Brindle
2008-07-02 0:50 ` Daniel J Walsh
2008-07-02 12:00 ` Stephen Smalley
2008-07-02 13:09 ` Joshua Brindle
2008-07-02 13:17 ` Stephen Smalley
2008-07-02 13:37 ` Joshua Brindle
2008-07-02 14:29 ` Stephen Smalley
2008-07-02 18:09 ` Daniel J Walsh
2008-07-02 19:06 ` Joshua Brindle
2008-07-02 19:13 ` Stephen Smalley
2008-07-02 19:22 ` Joshua Brindle
2008-07-02 19:25 ` Stephen Smalley
2008-07-02 19:54 ` Joshua Brindle
2008-07-02 18:07 ` Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.