Can we make libsemanage default to expand-check=0

Can we make libsemanage default to expand-check=0

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 0 bytes --]



[-- Attachment #2: libsemanage-rhat.patch --]
[-- Type: text/plain, Size: 408 bytes --]

diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage.conf libsemanage-2.0.25/src/semanage.conf
--- nsalibsemanage/src/semanage.conf	2008-06-12 23:25:16.000000000 -0400
+++ libsemanage-2.0.25/src/semanage.conf	2008-07-17 13:58:44.000000000 -0400
@@ -35,4 +35,4 @@
 # given in <sepol/policydb.h>.  Change this setting if a different
 # version is necessary.
 #policy-version = 19
-
+expand-check=0

Re: Can we make libsemanage default to expand-check=0

[Stephen Smalley]

On Tue, 2008-08-05 at 10:33 -0400, Daniel J Walsh wrote:
> plain text document attachment (libsemanage-rhat.patch)
> diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage.conf libsemanage-2.0.25/src/semanage.conf
> --- nsalibsemanage/src/semanage.conf	2008-06-12 23:25:16.000000000 -0400
> +++ libsemanage-2.0.25/src/semanage.conf	2008-07-17 13:58:44.000000000 -0400
> @@ -35,4 +35,4 @@
>  # given in <sepol/policydb.h>.  Change this setting if a different
>  # version is necessary.
>  #policy-version = 19
> -
> +expand-check=0

I thought we were going to leave this unchanged upstream, and only make
this change in Fedora.

We want the checking to be applied for policy developers.  If you were
to incorporate 'make validate' into the policy spec file, then you would
get it applied when you perform a policy build.  And ideally there would
be similar support in the selinux-policy-devel Makefile for policy
module writers to use.  All it does is run semodule_link followed by
semodule_expand, which applies the checking.

If we were to change the upstream default, we'd likely change it in the
code (semanage_conf_init()) rather than just in the .conf file.  And
then policy developers would need to add expand-check=1 to their .conf
file to set it.  

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Can we make libsemanage default to expand-check=0

[Daniel J Walsh]

Stephen Smalley wrote:
> On Tue, 2008-08-05 at 10:33 -0400, Daniel J Walsh wrote:
>> plain text document attachment (libsemanage-rhat.patch)
>> diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage.conf libsemanage-2.0.25/src/semanage.conf
>> --- nsalibsemanage/src/semanage.conf	2008-06-12 23:25:16.000000000 -0400
>> +++ libsemanage-2.0.25/src/semanage.conf	2008-07-17 13:58:44.000000000 -0400
>> @@ -35,4 +35,4 @@
>>  # given in <sepol/policydb.h>.  Change this setting if a different
>>  # version is necessary.
>>  #policy-version = 19
>> -
>> +expand-check=0
> 
> I thought we were going to leave this unchanged upstream, and only make
> this change in Fedora.
>
Ok.  I was just trying to get rid of my patch.

> We want the checking to be applied for policy developers.  If you were
> to incorporate 'make validate' into the policy spec file, then you would
> get it applied when you perform a policy build.  And ideally there would
> be similar support in the selinux-policy-devel Makefile for policy
> module writers to use.  All it does is run semodule_link followed by
> semodule_expand, which applies the checking.
> 
make validate is now in the Rawhide spec file.
> If we were to change the upstream default, we'd likely change it in the
> code (semanage_conf_init()) rather than just in the .conf file.  And
> then policy developers would need to add expand-check=1 to their .conf
> file to set it.  
> 
Putting this into the selinux-policy-devel package (which does not exist
any longer, it is all part of selinux-policy) does not work.  Since the
semodule_lnk and semodule_expand do not use the installed system.  So
you would have hack up the Makefile to grab all of the pp files in
/etc/selinux/TYPE/modules/active/*.pp and isolate the base.pp file, then
add the new pp files that you are creating.  Or somehow add this as a
parameter to semodule_link to make it happen automatically

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Can we make libsemanage default to expand-check=0

[Joshua Brindle]

Daniel J Walsh wrote:

I'd rather we not do this. We are already losing the vast majority of testers for those codepaths by Fedora turning it off, if it becomes off by default I'm afraid that code will rot like crazy.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Can we make libsemanage default to expand-check=0

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joshua Brindle wrote:
> Daniel J Walsh wrote:
> 
> I'd rather we not do this. We are already losing the vast majority of testers for those codepaths by Fedora turning it off, if it becomes off by default I'm afraid that code will rot like crazy.
That is fine.  The selinux-policy package does do a validate now on
build.  We need to hack something up though to get this to happen in the
makefile in the devel package.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkiciL4ACgkQrlYvE4MpobORlQCg2qK/dOdIKoCJ5XocdCI9qBvc
CdkAoLqdTrRGUpeIgLm/51t+K3tv6Dr4
=TPU6
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.