libsemage patch to not compile modules for seusers and fcontext

libsemage patch to not compile modules for seusers and fcontext

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 375 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Patch speeds up semanage command from 17-20 seconds to 3-4 seconds.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkiki4sACgkQrlYvE4MpobM9WwCfY1dRI+NDNiUpu0bwhajASwzR
WVkAnRpWzNWiP+CfBW7n2QTfs+yu0CM1
=8h+v
-----END PGP SIGNATURE-----

[-- Attachment #2: libsemanage-rhat.patch --]
[-- Type: text/plain, Size: 3918 bytes --]

diff --exclude-from=exclude -N -u -r nsalibsemanage/src/direct_api.c libsemanage-2.0.27/src/direct_api.c
--- nsalibsemanage/src/direct_api.c	2008-06-12 23:25:16.000000000 -0400
+++ libsemanage-2.0.27/src/direct_api.c	2008-08-14 11:51:15.000000000 -0400
@@ -489,12 +489,6 @@
 	modified |= ifaces->dtable->is_modified(ifaces->dbase);
 	modified |= nodes->dtable->is_modified(nodes->dbase);
 
-	/* FIXME: get rid of these, once we support loading the existing policy,
-	 * instead of rebuilding it */
-	modified |= seusers_modified;
-	modified |= fcontexts_modified;
-	modified |= users_extra_modified;
-
 	/* If there were policy changes, or explicitly requested, rebuild the policy */
 	if (sh->do_rebuild || modified) {
 
@@ -667,11 +661,34 @@
 		retval = semanage_verify_kernel(sh);
 		if (retval < 0)
 			goto cleanup;
-	}
+	} else {
+		sepol_policydb_create(&out);
+		modified |= seusers_modified;
+		modified |= fcontexts_modified;
+		modified |= users_extra_modified;
+		
+		retval = semanage_read_policydb(sh, out);
+		if (retval < 0)
+			goto cleanup;
+		
+		dbase_policydb_attach((dbase_policydb_t *) pusers_base->dbase,out);
+		dbase_policydb_attach((dbase_policydb_t *) pports->dbase, out);
+		dbase_policydb_attach((dbase_policydb_t *) pifaces->dbase, out);
+		dbase_policydb_attach((dbase_policydb_t *) pbools->dbase, out);
+		dbase_policydb_attach((dbase_policydb_t *) pnodes->dbase, out);
 
-	/* FIXME: else if !modified, but seusers_modified, 
-	 * load the existing policy instead of rebuilding */
+		if (seusers_modified) {
+			retval = pseusers->dtable->clear(sh, pseusers->dbase);
+			if (retval < 0)
+				goto cleanup;
+		}
 
+		retval = semanage_base_merge_components(sh);
+		if (retval < 0)
+		  goto cleanup;
+
+		/* Seusers */
+	}
 	/* ======= Post-process: Validate non-policydb components ===== */
 
 	/* Validate local modifications to file contexts.
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage_store.c libsemanage-2.0.27/src/semanage_store.c
--- nsalibsemanage/src/semanage_store.c	2008-06-12 23:25:16.000000000 -0400
+++ libsemanage-2.0.27/src/semanage_store.c	2008-08-08 15:23:20.000000000 -0400
@@ -1648,6 +1648,47 @@
 }
 
 /**
+ * Read the policy from the sandbox (kernel)
+ */
+int semanage_read_policydb(semanage_handle_t * sh, sepol_policydb_t * in)
+{
+
+	int retval = STATUS_ERR;
+	const char *kernel_filename = NULL;
+	struct sepol_policy_file *pf = NULL;
+	FILE *infile = NULL;
+
+	if ((kernel_filename =
+	     semanage_path(SEMANAGE_ACTIVE, SEMANAGE_KERNEL)) == NULL) {
+		goto cleanup;
+	}
+	if ((infile = fopen(kernel_filename, "r")) == NULL) {
+		ERR(sh, "Could not open kernel policy %s for reading.",
+		    kernel_filename);
+		goto cleanup;
+	}
+	__fsetlocking(infile, FSETLOCKING_BYCALLER);
+	if (sepol_policy_file_create(&pf)) {
+		ERR(sh, "Out of memory!");
+		goto cleanup;
+	}
+	sepol_policy_file_set_fp(pf, infile);
+	sepol_policy_file_set_handle(pf, sh->sepolh);
+	if (sepol_policydb_read(in, pf) == -1) {
+		ERR(sh, "Error while reading kernel policy from %s.",
+		    kernel_filename);
+		goto cleanup;
+	}
+	retval = STATUS_SUCCESS;
+
+      cleanup:
+	if (infile != NULL) {
+		fclose(infile);
+	}
+	sepol_policy_file_free(pf);
+	return retval;
+}
+/**
  * Writes the final policy to the sandbox (kernel)
  */
 int semanage_write_policydb(semanage_handle_t * sh, sepol_policydb_t * out)
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage_store.h libsemanage-2.0.27/src/semanage_store.h
--- nsalibsemanage/src/semanage_store.h	2008-06-12 23:25:16.000000000 -0400
+++ libsemanage-2.0.27/src/semanage_store.h	2008-08-11 09:05:16.000000000 -0400
@@ -97,6 +97,9 @@
 			    sepol_module_package_t * base,
 			    sepol_policydb_t ** policydb);
 
+int semanage_read_policydb(semanage_handle_t * sh,
+			    sepol_policydb_t * policydb);
+
 int semanage_write_policydb(semanage_handle_t * sh,
 			    sepol_policydb_t * policydb);
 

[-- Attachment #3: libsemanage-rhat.patch.sig --]
[-- Type: application/octet-stream, Size: 71 bytes --]

Re: libsemage patch to not compile modules for seusers and fcontext

[Ivan Gyurdiev]

Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Patch speeds up semanage command from 17-20 seconds to 3-4 seconds.
>   
Hi Dan!
Some suggestions below,  if I can still remember correctly how this was
supposed to work:

One issue with the patch is that it makes an already large and hard to
maintain function even larger - it would be better to split it up and
make it modular instead.  Likely "merge_components" and
"commit_components" should be changed to pass the components to merge or
commit as arguments - so you can operate on file and policydb components
separately.

The "attach" calls shouldn't really be needed, since you're not
re-writing the policydb, or changing ports/bools/etc. It would be better
to change the rest of the code, so that the attach calls become
unnecessary in this code path.

On the other hand the code that parses out seusers/fcontexts/users_extra
info from the module package may be necessary, so that your local
seusers/fcontexts/users_extra changes are properly merged with the
shipped policy files - these are the "write_file" sections above.

- Ivan


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: libsemage patch to not compile modules for seusers and fcontext

[Stephen Smalley]

On Thu, 2008-08-14 at 15:46 -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Patch speeds up semanage command from 17-20 seconds to 3-4 seconds.
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
> 
> iEYEARECAAYFAkiki4sACgkQrlYvE4MpobM9WwCfY1dRI+NDNiUpu0bwhajASwzR
> WVkAnRpWzNWiP+CfBW7n2QTfs+yu0CM1
> =8h+v
> -----END PGP SIGNATURE-----
> plain text document attachment (libsemanage-rhat.patch)
> diff --exclude-from=exclude -N -u -r nsalibsemanage/src/direct_api.c libsemanage-2.0.27/src/direct_api.c
> --- nsalibsemanage/src/direct_api.c	2008-06-12 23:25:16.000000000 -0400
> +++ libsemanage-2.0.27/src/direct_api.c	2008-08-14 11:51:15.000000000 -0400
> @@ -489,12 +489,6 @@
>  	modified |= ifaces->dtable->is_modified(ifaces->dbase);
>  	modified |= nodes->dtable->is_modified(nodes->dbase);
>  
> -	/* FIXME: get rid of these, once we support loading the existing policy,
> -	 * instead of rebuilding it */
> -	modified |= seusers_modified;
> -	modified |= fcontexts_modified;
> -	modified |= users_extra_modified;
> -
>  	/* If there were policy changes, or explicitly requested, rebuild the policy */
>  	if (sh->do_rebuild || modified) {
>  
> @@ -667,11 +661,34 @@
>  		retval = semanage_verify_kernel(sh);
>  		if (retval < 0)
>  			goto cleanup;
> -	}
> +	} else {
> +		sepol_policydb_create(&out);

We should test for failure here (out of memory condition possible).

> +		modified |= seusers_modified;
> +		modified |= fcontexts_modified;
> +		modified |= users_extra_modified;

Should we be setting modified here or just testing for these other
_modified flags where needed?

> +		
> +		retval = semanage_read_policydb(sh, out);

Are there any other situations where we can re-use the existing kernel
policy like this?  e.g. Do we really need to re-link/expand the modules
if we aren't actually modifying modules?  Although there I suppose we
might want a copy of the policy before merging local customizations.

Also reminds me of the whole question of why we don't do incremental
linking to avoid having to re-link each time.

>  
> +		if (retval < 0)
> +			goto cleanup;
> +		
> +		dbase_policydb_attach((dbase_policydb_t *) pusers_base->dbase,out);
> +		dbase_policydb_attach((dbase_policydb_t *) pports->dbase, out);
> +		dbase_policydb_attach((dbase_policydb_t *) pifaces->dbase, out);
> +		dbase_policydb_attach((dbase_policydb_t *) pbools->dbase, out);
> +		dbase_policydb_attach((dbase_policydb_t *) pnodes->dbase, out);

Ivan suggested these shouldn't be necessary as long as you make the
later detach conditional.  But he also raised a concern about merging
with the base seusers or users_extra from the modules?  
   
>  
> -	/* FIXME: else if !modified, but seusers_modified, 
> -	 * load the existing policy instead of rebuilding */
> +		if (seusers_modified) {
> +			retval = pseusers->dtable->clear(sh, pseusers->dbase);
> +			if (retval < 0)
> +				goto cleanup;

I'm a little unclear on what this is doing - can you clarify?

> +		}
>  
> +		retval = semanage_base_merge_components(sh);
> +		if (retval < 0)
> +		  goto cleanup;
> +
> +		/* Seusers */
> +	}
>  	/* ======= Post-process: Validate non-policydb components ===== */
>  
>  	/* Validate local modifications to file contexts.
> diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage_store.c libsemanage-2.0.27/src/semanage_store.c
> --- nsalibsemanage/src/semanage_store.c	2008-06-12 23:25:16.000000000 -0400
> +++ libsemanage-2.0.27/src/semanage_store.c	2008-08-08 15:23:20.000000000 -0400
> @@ -1648,6 +1648,47 @@
>  }
>  
>  /**
> + * Read the policy from the sandbox (kernel)
> + */
> +int semanage_read_policydb(semanage_handle_t * sh, sepol_policydb_t * in)
> +{
> +
> +	int retval = STATUS_ERR;
> +	const char *kernel_filename = NULL;
> +	struct sepol_policy_file *pf = NULL;
> +	FILE *infile = NULL;
> +
> +	if ((kernel_filename =
> +	     semanage_path(SEMANAGE_ACTIVE, SEMANAGE_KERNEL)) == NULL) {
> +		goto cleanup;
> +	}
> +	if ((infile = fopen(kernel_filename, "r")) == NULL) {
> +		ERR(sh, "Could not open kernel policy %s for reading.",
> +		    kernel_filename);
> +		goto cleanup;
> +	}
> +	__fsetlocking(infile, FSETLOCKING_BYCALLER);
> +	if (sepol_policy_file_create(&pf)) {
> +		ERR(sh, "Out of memory!");
> +		goto cleanup;
> +	}
> +	sepol_policy_file_set_fp(pf, infile);
> +	sepol_policy_file_set_handle(pf, sh->sepolh);
> +	if (sepol_policydb_read(in, pf) == -1) {
> +		ERR(sh, "Error while reading kernel policy from %s.",
> +		    kernel_filename);
> +		goto cleanup;
> +	}
> +	retval = STATUS_SUCCESS;
> +
> +      cleanup:
> +	if (infile != NULL) {
> +		fclose(infile);
> +	}
> +	sepol_policy_file_free(pf);
> +	return retval;
> +}
> +/**
>   * Writes the final policy to the sandbox (kernel)
>   */
>  int semanage_write_policydb(semanage_handle_t * sh, sepol_policydb_t * out)
> diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage_store.h libsemanage-2.0.27/src/semanage_store.h
> --- nsalibsemanage/src/semanage_store.h	2008-06-12 23:25:16.000000000 -0400
> +++ libsemanage-2.0.27/src/semanage_store.h	2008-08-11 09:05:16.000000000 -0400
> @@ -97,6 +97,9 @@
>  			    sepol_module_package_t * base,
>  			    sepol_policydb_t ** policydb);
>  
> +int semanage_read_policydb(semanage_handle_t * sh,
> +			    sepol_policydb_t * policydb);
> +
>  int semanage_write_policydb(semanage_handle_t * sh,
>  			    sepol_policydb_t * policydb);
>  
-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: libsemage patch to not compile modules for seusers and fcontext

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 5275 bytes --]

Updated patch.  Comments inlined.

Stephen Smalley wrote:
> On Thu, 2008-08-14 at 15:46 -0400, Daniel J Walsh wrote:
> Patch speeds up semanage command from 17-20 seconds to 3-4 seconds.
> 
plain text document attachment (libsemanage-rhat.patch)
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/direct_api.c
libsemanage-2.0.27/src/direct_api.c
--- nsalibsemanage/src/direct_api.c	2008-06-12 23:25:16.000000000 -0400
+++ libsemanage-2.0.27/src/direct_api.c	2008-08-14 11:51:15.000000000 -0400
@@ -489,12 +489,6 @@
 	modified |= ifaces->dtable->is_modified(ifaces->dbase);
 	modified |= nodes->dtable->is_modified(nodes->dbase);

-	/* FIXME: get rid of these, once we support loading the existing policy,
-	 * instead of rebuilding it */
-	modified |= seusers_modified;
-	modified |= fcontexts_modified;
-	modified |= users_extra_modified;
-
 	/* If there were policy changes, or explicitly requested, rebuild the
policy */
 	if (sh->do_rebuild || modified) {

@@ -667,11 +661,34 @@
 		retval = semanage_verify_kernel(sh);
 		if (retval < 0)
 			goto cleanup;
-	}
+	} else {
+		sepol_policydb_create(&out);

> We should test for failure here (out of memory condition possible).

Ok I will modify


+		modified |= seusers_modified;
+		modified |= fcontexts_modified;
+		modified |= users_extra_modified;

> Should we be setting modified here or just testing for these other
> _modified flags where needed?

Ditto
+		
+		retval = semanage_read_policydb(sh, out);

> Are there any other situations where we can re-use the existing kernel
> policy like this?  e.g. Do we really need to re-link/expand the modules
> if we aren't actually modifying modules?  Although there I suppose we
> might want a copy of the policy before merging local customizations.

Maybe although you would need someone who understands the library better
then I do.

> Also reminds me of the whole question of why we don't do incremental
> linking to avoid having to re-link each time.

That sounds good to me.
+		if (retval < 0)
+			goto cleanup;
+		
+		dbase_policydb_attach((dbase_policydb_t *) pusers_base->dbase,out);
+		dbase_policydb_attach((dbase_policydb_t *) pports->dbase, out);
+		dbase_policydb_attach((dbase_policydb_t *) pifaces->dbase, out);
+		dbase_policydb_attach((dbase_policydb_t *) pbools->dbase, out);
+		dbase_policydb_attach((dbase_policydb_t *) pnodes->dbase, out);

> Ivan suggested these shouldn't be necessary as long as you make the
> later detach conditional.  But he also raised a concern about merging
> with the base seusers or users_extra from the modules?  

Removed and only detach if modified is set.

-	/* FIXME: else if !modified, but seusers_modified,
-	 * load the existing policy instead of rebuilding */
+		if (seusers_modified) {
+			retval = pseusers->dtable->clear(sh, pseusers->dbase);
+			if (retval < 0)
+				goto cleanup;

> I'm a little unclear on what this is doing - can you clarify?
This is clearing the existing seusers.final file, otherwise delete was
not working.


+		}

+		retval = semanage_base_merge_components(sh);
+		if (retval < 0)
+		  goto cleanup;
+
+		/* Seusers */
+	}
 	/* ======= Post-process: Validate non-policydb components ===== */

 	/* Validate local modifications to file contexts.
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage_store.c
libsemanage-2.0.27/src/semanage_store.c
--- nsalibsemanage/src/semanage_store.c	2008-06-12 23:25:16.000000000 -0400
+++ libsemanage-2.0.27/src/semanage_store.c	2008-08-08
15:23:20.000000000 -0400
@@ -1648,6 +1648,47 @@
 }

 /**
+ * Read the policy from the sandbox (kernel)
+ */
+int semanage_read_policydb(semanage_handle_t * sh, sepol_policydb_t * in)
+{
+
+	int retval = STATUS_ERR;
+	const char *kernel_filename = NULL;
+	struct sepol_policy_file *pf = NULL;
+	FILE *infile = NULL;
+
+	if ((kernel_filename =
+	     semanage_path(SEMANAGE_ACTIVE, SEMANAGE_KERNEL)) == NULL) {
+		goto cleanup;
+	}
+	if ((infile = fopen(kernel_filename, "r")) == NULL) {
+		ERR(sh, "Could not open kernel policy %s for reading.",
+		    kernel_filename);
+		goto cleanup;
+	}
+	__fsetlocking(infile, FSETLOCKING_BYCALLER);
+	if (sepol_policy_file_create(&pf)) {
+		ERR(sh, "Out of memory!");
+		goto cleanup;
+	}
+	sepol_policy_file_set_fp(pf, infile);
+	sepol_policy_file_set_handle(pf, sh->sepolh);
+	if (sepol_policydb_read(in, pf) == -1) {
+		ERR(sh, "Error while reading kernel policy from %s.",
+		    kernel_filename);
+		goto cleanup;
+	}
+	retval = STATUS_SUCCESS;
+
+      cleanup:
+	if (infile != NULL) {
+		fclose(infile);
+	}
+	sepol_policy_file_free(pf);
+	return retval;
+}
+/**
  * Writes the final policy to the sandbox (kernel)
  */
 int semanage_write_policydb(semanage_handle_t * sh, sepol_policydb_t * out)
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage_store.h
libsemanage-2.0.27/src/semanage_store.h
--- nsalibsemanage/src/semanage_store.h	2008-06-12 23:25:16.000000000 -0400
+++ libsemanage-2.0.27/src/semanage_store.h	2008-08-11
09:05:16.000000000 -0400
@@ -97,6 +97,9 @@
 			    sepol_module_package_t * base,
 			    sepol_policydb_t ** policydb);

+int semanage_read_policydb(semanage_handle_t * sh,
+			    sepol_policydb_t * policydb);
+
 int semanage_write_policydb(semanage_handle_t * sh,
 			    sepol_policydb_t * policydb);



[-- Attachment #2: libsemanage-rhat.patch --]
[-- Type: text/plain, Size: 8426 bytes --]

diff --exclude-from=exclude -N -u -r nsalibsemanage/src/direct_api.c libsemanage-2.0.27/src/direct_api.c
--- nsalibsemanage/src/direct_api.c	2008-06-12 23:25:16.000000000 -0400
+++ libsemanage-2.0.27/src/direct_api.c	2008-08-26 10:25:38.000000000 -0400
@@ -489,12 +489,6 @@
 	modified |= ifaces->dtable->is_modified(ifaces->dbase);
 	modified |= nodes->dtable->is_modified(nodes->dbase);
 
-	/* FIXME: get rid of these, once we support loading the existing policy,
-	 * instead of rebuilding it */
-	modified |= seusers_modified;
-	modified |= fcontexts_modified;
-	modified |= users_extra_modified;
-
 	/* If there were policy changes, or explicitly requested, rebuild the policy */
 	if (sh->do_rebuild || modified) {
 
@@ -667,11 +661,33 @@
 		retval = semanage_verify_kernel(sh);
 		if (retval < 0)
 			goto cleanup;
-	}
+	} else {
+		retval = sepol_policydb_create(&out);
+		if (retval < 0)
+			goto cleanup;
+		
+		retval = semanage_read_policydb(sh, out);
+		if (retval < 0)
+			goto cleanup;
+		
+		/*		dbase_policydb_attach((dbase_policydb_t *) pusers_base->dbase,out);
+		dbase_policydb_attach((dbase_policydb_t *) pports->dbase, out);
+		dbase_policydb_attach((dbase_policydb_t *) pifaces->dbase, out);
+		dbase_policydb_attach((dbase_policydb_t *) pbools->dbase, out);
+		dbase_policydb_attach((dbase_policydb_t *) pnodes->dbase, out);
+		*/
+		if (seusers_modified) {
+			retval = pseusers->dtable->clear(sh, pseusers->dbase);
+			if (retval < 0)
+				goto cleanup;
+		}
 
-	/* FIXME: else if !modified, but seusers_modified, 
-	 * load the existing policy instead of rebuilding */
+		retval = semanage_base_merge_components(sh);
+		if (retval < 0)
+		  goto cleanup;
 
+		/* Seusers */
+	}
 	/* ======= Post-process: Validate non-policydb components ===== */
 
 	/* Validate local modifications to file contexts.
@@ -724,7 +740,8 @@
 	sepol_policydb_free(out);
 	out = NULL;
 
-	if (sh->do_rebuild || modified) {
+	if (sh->do_rebuild || modified || 
+	    seusers_modified || fcontexts_modified || users_extra_modified) {
 		retval = semanage_install_sandbox(sh);
 	}
 
@@ -733,12 +750,14 @@
 		free(mod_filenames[i]);
 	}
 
-	/* Detach from policydb, so it can be freed */
-	dbase_policydb_detach((dbase_policydb_t *) pusers_base->dbase);
-	dbase_policydb_detach((dbase_policydb_t *) pports->dbase);
-	dbase_policydb_detach((dbase_policydb_t *) pifaces->dbase);
-	dbase_policydb_detach((dbase_policydb_t *) pnodes->dbase);
-	dbase_policydb_detach((dbase_policydb_t *) pbools->dbase);
+	if (modified) {
+		/* Detach from policydb, so it can be freed */
+		dbase_policydb_detach((dbase_policydb_t *) pusers_base->dbase);
+		dbase_policydb_detach((dbase_policydb_t *) pports->dbase);
+		dbase_policydb_detach((dbase_policydb_t *) pifaces->dbase);
+		dbase_policydb_detach((dbase_policydb_t *) pnodes->dbase);
+		dbase_policydb_detach((dbase_policydb_t *) pbools->dbase);
+	}
 
 	free(mod_filenames);
 	sepol_policydb_free(out);
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/genhomedircon.c libsemanage-2.0.27/src/genhomedircon.c
--- nsalibsemanage/src/genhomedircon.c	2008-08-05 09:57:28.000000000 -0400
+++ libsemanage-2.0.27/src/genhomedircon.c	2008-08-26 10:30:30.000000000 -0400
@@ -487,7 +487,6 @@
 				  const char *role_prefix)
 {
 	replacement_pair_t repl[] = {
-		{.search_for = TEMPLATE_SEUSER,.replace_with = seuser},
 		{.search_for = TEMPLATE_HOME_DIR,.replace_with = home},
 		{.search_for = TEMPLATE_ROLE,.replace_with = role_prefix},
 		{NULL, NULL}
@@ -547,7 +546,6 @@
 	replacement_pair_t repl[] = {
 		{.search_for = TEMPLATE_USER,.replace_with = user},
 		{.search_for = TEMPLATE_ROLE,.replace_with = role_prefix},
-		{.search_for = TEMPLATE_SEUSER,.replace_with = seuser},
 		{NULL, NULL}
 	};
 	Ustr *line = USTR_NULL;
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage.conf libsemanage-2.0.27/src/semanage.conf
--- nsalibsemanage/src/semanage.conf	2008-06-12 23:25:16.000000000 -0400
+++ libsemanage-2.0.27/src/semanage.conf	2008-08-14 14:53:32.000000000 -0400
@@ -35,4 +35,4 @@
 # given in <sepol/policydb.h>.  Change this setting if a different
 # version is necessary.
 #policy-version = 19
-
+expand-check=0
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage_store.c libsemanage-2.0.27/src/semanage_store.c
--- nsalibsemanage/src/semanage_store.c	2008-06-12 23:25:16.000000000 -0400
+++ libsemanage-2.0.27/src/semanage_store.c	2008-08-14 14:53:32.000000000 -0400
@@ -1648,6 +1648,47 @@
 }
 
 /**
+ * Read the policy from the sandbox (kernel)
+ */
+int semanage_read_policydb(semanage_handle_t * sh, sepol_policydb_t * in)
+{
+
+	int retval = STATUS_ERR;
+	const char *kernel_filename = NULL;
+	struct sepol_policy_file *pf = NULL;
+	FILE *infile = NULL;
+
+	if ((kernel_filename =
+	     semanage_path(SEMANAGE_ACTIVE, SEMANAGE_KERNEL)) == NULL) {
+		goto cleanup;
+	}
+	if ((infile = fopen(kernel_filename, "r")) == NULL) {
+		ERR(sh, "Could not open kernel policy %s for reading.",
+		    kernel_filename);
+		goto cleanup;
+	}
+	__fsetlocking(infile, FSETLOCKING_BYCALLER);
+	if (sepol_policy_file_create(&pf)) {
+		ERR(sh, "Out of memory!");
+		goto cleanup;
+	}
+	sepol_policy_file_set_fp(pf, infile);
+	sepol_policy_file_set_handle(pf, sh->sepolh);
+	if (sepol_policydb_read(in, pf) == -1) {
+		ERR(sh, "Error while reading kernel policy from %s.",
+		    kernel_filename);
+		goto cleanup;
+	}
+	retval = STATUS_SUCCESS;
+
+      cleanup:
+	if (infile != NULL) {
+		fclose(infile);
+	}
+	sepol_policy_file_free(pf);
+	return retval;
+}
+/**
  * Writes the final policy to the sandbox (kernel)
  */
 int semanage_write_policydb(semanage_handle_t * sh, sepol_policydb_t * out)
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage_store.h libsemanage-2.0.27/src/semanage_store.h
--- nsalibsemanage/src/semanage_store.h	2008-06-12 23:25:16.000000000 -0400
+++ libsemanage-2.0.27/src/semanage_store.h	2008-08-14 14:53:32.000000000 -0400
@@ -97,6 +97,9 @@
 			    sepol_module_package_t * base,
 			    sepol_policydb_t ** policydb);
 
+int semanage_read_policydb(semanage_handle_t * sh,
+			    sepol_policydb_t * policydb);
+
 int semanage_write_policydb(semanage_handle_t * sh,
 			    sepol_policydb_t * policydb);
 
diff --exclude-from=exclude -N -u -r nsalibsemanage/tests/test_fcontext.c libsemanage-2.0.27/tests/test_fcontext.c
--- nsalibsemanage/tests/test_fcontext.c	1969-12-31 19:00:00.000000000 -0500
+++ libsemanage-2.0.27/tests/test_fcontext.c	2008-08-15 10:59:48.000000000 -0400
@@ -0,0 +1,72 @@
+#include <semanage/fcontext_record.h>
+#include <semanage/semanage.h>
+#include <semanage/fcontexts_local.h>
+#include <sepol/sepol.h>
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+int main(const int argc, const char **argv) {
+	semanage_handle_t *sh = NULL;
+	semanage_fcontext_t *fcontext;
+	semanage_context_t *con;
+	semanage_fcontext_key_t *k;
+
+	int exist = 0;
+	sh = semanage_handle_create();
+	if (sh == NULL) { 
+		perror("Can't create semanage handle\n");
+		return -1;
+	}
+        if (semanage_access_check(sh) < 0) {
+		perror("Semanage access check failed\n");
+		return -1;
+	}
+        if (semanage_connect(sh) < 0) {
+		perror("Semanage connect failed\n");
+		return -1;
+	}
+
+	if (semanage_fcontext_key_create(sh, argv[2], SEMANAGE_FCONTEXT_REG, &k) < 0) {
+		fprintf(stderr, "Could not create key for %s", argv[2]);
+		return -1;
+	}
+
+	if(semanage_fcontext_exists(sh, k, &exist) < 0) {
+		fprintf(stderr,"Could not check if key exists for %s", argv[2]);
+		return -1;
+	}
+	if (exist) {
+		fprintf(stderr,"Could create %s mapping already exists", argv[2]);
+		return -1;
+	}
+
+	if (semanage_fcontext_create(sh, &fcontext) < 0) {
+		fprintf(stderr,"Could not create file context for %s", argv[2]);
+		return -1;
+	}
+	semanage_fcontext_set_expr(sh, fcontext, argv[2]);
+
+	if (semanage_context_from_string(sh, argv[1], &con)) {
+		fprintf(stderr,"Could not create context using %s for file context %s", argv[1], argv[2]);
+		return -1;
+	}
+
+	if (semanage_fcontext_set_con(sh, fcontext, con) < 0) {
+		fprintf(stderr,"Could not set file context for %s", argv[2]);
+		return -1;
+	}
+
+	semanage_fcontext_set_type(fcontext, SEMANAGE_FCONTEXT_REG);
+
+	if(semanage_fcontext_modify_local(sh, k, fcontext) < 0) {
+		fprintf(stderr,"Could not add file context for %s", argv[2]);
+		return -1;
+	}
+	semanage_fcontext_key_free(k);
+	semanage_fcontext_free(fcontext);
+
+	return 0;
+}
+

Re: libsemage patch to not compile modules for seusers and fcontext

[Joshua Brindle]

Daniel J Walsh wrote:
> Updated patch.  Comments inlined.
> 
> Stephen Smalley wrote:
>> On Thu, 2008-08-14 at 15:46 -0400, Daniel J Walsh wrote:
>> Patch speeds up semanage command from 17-20 seconds to 3-4 seconds.
>>
> plain text document attachment (libsemanage-rhat.patch)
> diff --exclude-from=exclude -N -u -r nsalibsemanage/src/direct_api.c
> libsemanage-2.0.27/src/direct_api.c
> --- nsalibsemanage/src/direct_api.c	2008-06-12 23:25:16.000000000 -0400
> +++ libsemanage-2.0.27/src/direct_api.c	2008-08-14 11:51:15.000000000 -0400
> @@ -489,12 +489,6 @@
>  	modified |= ifaces->dtable->is_modified(ifaces->dbase);
>  	modified |= nodes->dtable->is_modified(nodes->dbase);
> 
> -	/* FIXME: get rid of these, once we support loading the existing policy,
> -	 * instead of rebuilding it */
> -	modified |= seusers_modified;
> -	modified |= fcontexts_modified;
> -	modified |= users_extra_modified;
> -
>  	/* If there were policy changes, or explicitly requested, rebuild the
> policy */
>  	if (sh->do_rebuild || modified) {
> 
> @@ -667,11 +661,34 @@
>  		retval = semanage_verify_kernel(sh);
>  		if (retval < 0)
>  			goto cleanup;
> -	}
> +	} else {
> +		sepol_policydb_create(&out);
> 
>> We should test for failure here (out of memory condition possible).
> 
> Ok I will modify
> 
> 
> +		modified |= seusers_modified;
> +		modified |= fcontexts_modified;
> +		modified |= users_extra_modified;
> 
>> Should we be setting modified here or just testing for these other
>> _modified flags where needed?
> 
> Ditto
> +		
> +		retval = semanage_read_policydb(sh, out);
> 
>> Are there any other situations where we can re-use the existing kernel
>> policy like this?  e.g. Do we really need to re-link/expand the modules
>> if we aren't actually modifying modules?  Although there I suppose we
>> might want a copy of the policy before merging local customizations.
> 
> Maybe although you would need someone who understands the library better
> then I do.
> 
>> Also reminds me of the whole question of why we don't do incremental
>> linking to avoid having to re-link each time.
> 
> That sounds good to me.
> +		if (retval < 0)
> +			goto cleanup;
> +		
> +		dbase_policydb_attach((dbase_policydb_t *) pusers_base->dbase,out);
> +		dbase_policydb_attach((dbase_policydb_t *) pports->dbase, out);
> +		dbase_policydb_attach((dbase_policydb_t *) pifaces->dbase, out);
> +		dbase_policydb_attach((dbase_policydb_t *) pbools->dbase, out);
> +		dbase_policydb_attach((dbase_policydb_t *) pnodes->dbase, out);
> 
>> Ivan suggested these shouldn't be necessary as long as you make the
>> later detach conditional.  But he also raised a concern about merging
>> with the base seusers or users_extra from the modules?  
> 
> Removed and only detach if modified is set.
> 
> -	/* FIXME: else if !modified, but seusers_modified,
> -	 * load the existing policy instead of rebuilding */
> +		if (seusers_modified) {
> +			retval = pseusers->dtable->clear(sh, pseusers->dbase);
> +			if (retval < 0)
> +				goto cleanup;
> 
>> I'm a little unclear on what this is doing - can you clarify?
> This is clearing the existing seusers.final file, otherwise delete was
> not working.
> 
> 
> +		}
> 
> +		retval = semanage_base_merge_components(sh);
> +		if (retval < 0)
> +		  goto cleanup;
> +
> +		/* Seusers */
> +	}
>  	/* ======= Post-process: Validate non-policydb components ===== */
> 
>  	/* Validate local modifications to file contexts.
> diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage_store.c
> libsemanage-2.0.27/src/semanage_store.c
> --- nsalibsemanage/src/semanage_store.c	2008-06-12 23:25:16.000000000 -0400
> +++ libsemanage-2.0.27/src/semanage_store.c	2008-08-08
> 15:23:20.000000000 -0400
> @@ -1648,6 +1648,47 @@
>  }
> 
>  /**
> + * Read the policy from the sandbox (kernel)
> + */
> +int semanage_read_policydb(semanage_handle_t * sh, sepol_policydb_t * in)
> +{
> +
> +	int retval = STATUS_ERR;
> +	const char *kernel_filename = NULL;
> +	struct sepol_policy_file *pf = NULL;
> +	FILE *infile = NULL;
> +
> +	if ((kernel_filename =
> +	     semanage_path(SEMANAGE_ACTIVE, SEMANAGE_KERNEL)) == NULL) {
> +		goto cleanup;
> +	}
> +	if ((infile = fopen(kernel_filename, "r")) == NULL) {
> +		ERR(sh, "Could not open kernel policy %s for reading.",
> +		    kernel_filename);
> +		goto cleanup;
> +	}
> +	__fsetlocking(infile, FSETLOCKING_BYCALLER);
> +	if (sepol_policy_file_create(&pf)) {
> +		ERR(sh, "Out of memory!");
> +		goto cleanup;
> +	}
> +	sepol_policy_file_set_fp(pf, infile);
> +	sepol_policy_file_set_handle(pf, sh->sepolh);
> +	if (sepol_policydb_read(in, pf) == -1) {
> +		ERR(sh, "Error while reading kernel policy from %s.",
> +		    kernel_filename);
> +		goto cleanup;
> +	}
> +	retval = STATUS_SUCCESS;
> +
> +      cleanup:
> +	if (infile != NULL) {
> +		fclose(infile);
> +	}
> +	sepol_policy_file_free(pf);
> +	return retval;
> +}
> +/**
>   * Writes the final policy to the sandbox (kernel)
>   */
>  int semanage_write_policydb(semanage_handle_t * sh, sepol_policydb_t * out)
> diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage_store.h
> libsemanage-2.0.27/src/semanage_store.h
> --- nsalibsemanage/src/semanage_store.h	2008-06-12 23:25:16.000000000 -0400
> +++ libsemanage-2.0.27/src/semanage_store.h	2008-08-11
> 09:05:16.000000000 -0400
> @@ -97,6 +97,9 @@
>  			    sepol_module_package_t * base,
>  			    sepol_policydb_t ** policydb);
> 
> +int semanage_read_policydb(semanage_handle_t * sh,
> +			    sepol_policydb_t * policydb);
> +
>  int semanage_write_policydb(semanage_handle_t * sh,
>  			    sepol_policydb_t * policydb);
> 
> 
> 
> diff --exclude-from=exclude -N -u -r nsalibsemanage/src/genhomedircon.c libsemanage-2.0.27/src/genhomedircon.c
> --- nsalibsemanage/src/genhomedircon.c        2008-08-05 09:57:28.000000000 -0400
> +++ libsemanage-2.0.27/src/genhomedircon.c    2008-08-26 10:30:30.000000000 -0400
> @@ -487,7 +487,6 @@
>                                 const char *role_prefix)
>  {
>       replacement_pair_t repl[] = {
> -             {.search_for = TEMPLATE_SEUSER,.replace_with = seuser},
>               {.search_for = TEMPLATE_HOME_DIR,.replace_with = home},
>               {.search_for = TEMPLATE_ROLE,.replace_with = role_prefix},
>               {NULL, NULL}
> @@ -547,7 +546,6 @@
>       replacement_pair_t repl[] = {
>               {.search_for = TEMPLATE_USER,.replace_with = user},
>               {.search_for = TEMPLATE_ROLE,.replace_with = role_prefix},
> -             {.search_for = TEMPLATE_SEUSER,.replace_with = seuser},
>               {NULL, NULL}
>       };
>       Ustr *line = USTR_NULL;

I was with you up until this, why remove seuser from genhomedircon?

> diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage.conf libsemanage-2.0.27/src/semanage.conf
> --- nsalibsemanage/src/semanage.conf  2008-06-12 23:25:16.000000000 -0400
> +++ libsemanage-2.0.27/src/semanage.conf      2008-08-14 14:53:32.000000000 -0400
> @@ -35,4 +35,4 @@
>  # given in <sepol/policydb.h>.  Change this setting if a different
>  # version is necessary.
>  #policy-version = 19
> -
> +expand-check=0

nack on this hunk. don't worry about updating the patch just for this change, I'll remove it when I merge.
                                                                                                                         

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: libsemage patch to not compile modules for seusers and fcontext

[Daniel J Walsh]

Joshua Brindle wrote:
> Daniel J Walsh wrote:
>> Updated patch.  Comments inlined.
>>
>> Stephen Smalley wrote:
>>> On Thu, 2008-08-14 at 15:46 -0400, Daniel J Walsh wrote:
>>> Patch speeds up semanage command from 17-20 seconds to 3-4 seconds.
>>>
>> plain text document attachment (libsemanage-rhat.patch)
>> diff --exclude-from=exclude -N -u -r nsalibsemanage/src/direct_api.c
>> libsemanage-2.0.27/src/direct_api.c
>> --- nsalibsemanage/src/direct_api.c	2008-06-12 23:25:16.000000000 -0400
>> +++ libsemanage-2.0.27/src/direct_api.c	2008-08-14 11:51:15.000000000 -0400
>> @@ -489,12 +489,6 @@
>>  	modified |= ifaces->dtable->is_modified(ifaces->dbase);
>>  	modified |= nodes->dtable->is_modified(nodes->dbase);
>>
>> -	/* FIXME: get rid of these, once we support loading the existing policy,
>> -	 * instead of rebuilding it */
>> -	modified |= seusers_modified;
>> -	modified |= fcontexts_modified;
>> -	modified |= users_extra_modified;
>> -
>>  	/* If there were policy changes, or explicitly requested, rebuild the
>> policy */
>>  	if (sh->do_rebuild || modified) {
>>
>> @@ -667,11 +661,34 @@
>>  		retval = semanage_verify_kernel(sh);
>>  		if (retval < 0)
>>  			goto cleanup;
>> -	}
>> +	} else {
>> +		sepol_policydb_create(&out);
>>
>>> We should test for failure here (out of memory condition possible).
>> Ok I will modify
>>
>>
>> +		modified |= seusers_modified;
>> +		modified |= fcontexts_modified;
>> +		modified |= users_extra_modified;
>>
>>> Should we be setting modified here or just testing for these other
>>> _modified flags where needed?
>> Ditto
>> +		
>> +		retval = semanage_read_policydb(sh, out);
>>
>>> Are there any other situations where we can re-use the existing kernel
>>> policy like this?  e.g. Do we really need to re-link/expand the modules
>>> if we aren't actually modifying modules?  Although there I suppose we
>>> might want a copy of the policy before merging local customizations.
>> Maybe although you would need someone who understands the library better
>> then I do.
>>
>>> Also reminds me of the whole question of why we don't do incremental
>>> linking to avoid having to re-link each time.
>> That sounds good to me.
>> +		if (retval < 0)
>> +			goto cleanup;
>> +		
>> +		dbase_policydb_attach((dbase_policydb_t *) pusers_base->dbase,out);
>> +		dbase_policydb_attach((dbase_policydb_t *) pports->dbase, out);
>> +		dbase_policydb_attach((dbase_policydb_t *) pifaces->dbase, out);
>> +		dbase_policydb_attach((dbase_policydb_t *) pbools->dbase, out);
>> +		dbase_policydb_attach((dbase_policydb_t *) pnodes->dbase, out);
>>
>>> Ivan suggested these shouldn't be necessary as long as you make the
>>> later detach conditional.  But he also raised a concern about merging
>>> with the base seusers or users_extra from the modules?  
>> Removed and only detach if modified is set.
>>
>> -	/* FIXME: else if !modified, but seusers_modified,
>> -	 * load the existing policy instead of rebuilding */
>> +		if (seusers_modified) {
>> +			retval = pseusers->dtable->clear(sh, pseusers->dbase);
>> +			if (retval < 0)
>> +				goto cleanup;
>>
>>> I'm a little unclear on what this is doing - can you clarify?
>> This is clearing the existing seusers.final file, otherwise delete was
>> not working.
>>
>>
>> +		}
>>
>> +		retval = semanage_base_merge_components(sh);
>> +		if (retval < 0)
>> +		  goto cleanup;
>> +
>> +		/* Seusers */
>> +	}
>>  	/* ======= Post-process: Validate non-policydb components ===== */
>>
>>  	/* Validate local modifications to file contexts.
>> diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage_store.c
>> libsemanage-2.0.27/src/semanage_store.c
>> --- nsalibsemanage/src/semanage_store.c	2008-06-12 23:25:16.000000000 -0400
>> +++ libsemanage-2.0.27/src/semanage_store.c	2008-08-08
>> 15:23:20.000000000 -0400
>> @@ -1648,6 +1648,47 @@
>>  }
>>
>>  /**
>> + * Read the policy from the sandbox (kernel)
>> + */
>> +int semanage_read_policydb(semanage_handle_t * sh, sepol_policydb_t * in)
>> +{
>> +
>> +	int retval = STATUS_ERR;
>> +	const char *kernel_filename = NULL;
>> +	struct sepol_policy_file *pf = NULL;
>> +	FILE *infile = NULL;
>> +
>> +	if ((kernel_filename =
>> +	     semanage_path(SEMANAGE_ACTIVE, SEMANAGE_KERNEL)) == NULL) {
>> +		goto cleanup;
>> +	}
>> +	if ((infile = fopen(kernel_filename, "r")) == NULL) {
>> +		ERR(sh, "Could not open kernel policy %s for reading.",
>> +		    kernel_filename);
>> +		goto cleanup;
>> +	}
>> +	__fsetlocking(infile, FSETLOCKING_BYCALLER);
>> +	if (sepol_policy_file_create(&pf)) {
>> +		ERR(sh, "Out of memory!");
>> +		goto cleanup;
>> +	}
>> +	sepol_policy_file_set_fp(pf, infile);
>> +	sepol_policy_file_set_handle(pf, sh->sepolh);
>> +	if (sepol_policydb_read(in, pf) == -1) {
>> +		ERR(sh, "Error while reading kernel policy from %s.",
>> +		    kernel_filename);
>> +		goto cleanup;
>> +	}
>> +	retval = STATUS_SUCCESS;
>> +
>> +      cleanup:
>> +	if (infile != NULL) {
>> +		fclose(infile);
>> +	}
>> +	sepol_policy_file_free(pf);
>> +	return retval;
>> +}
>> +/**
>>   * Writes the final policy to the sandbox (kernel)
>>   */
>>  int semanage_write_policydb(semanage_handle_t * sh, sepol_policydb_t * out)
>> diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage_store.h
>> libsemanage-2.0.27/src/semanage_store.h
>> --- nsalibsemanage/src/semanage_store.h	2008-06-12 23:25:16.000000000 -0400
>> +++ libsemanage-2.0.27/src/semanage_store.h	2008-08-11
>> 09:05:16.000000000 -0400
>> @@ -97,6 +97,9 @@
>>  			    sepol_module_package_t * base,
>>  			    sepol_policydb_t ** policydb);
>>
>> +int semanage_read_policydb(semanage_handle_t * sh,
>> +			    sepol_policydb_t * policydb);
>> +
>>  int semanage_write_policydb(semanage_handle_t * sh,
>>  			    sepol_policydb_t * policydb);
>>
>>
>>
>> diff --exclude-from=exclude -N -u -r nsalibsemanage/src/genhomedircon.c libsemanage-2.0.27/src/genhomedircon.c
>> --- nsalibsemanage/src/genhomedircon.c        2008-08-05 09:57:28.000000000 -0400
>> +++ libsemanage-2.0.27/src/genhomedircon.c    2008-08-26 10:30:30.000000000 -0400
>> @@ -487,7 +487,6 @@
>>                                 const char *role_prefix)
>>  {
>>       replacement_pair_t repl[] = {
>> -             {.search_for = TEMPLATE_SEUSER,.replace_with = seuser},
>>               {.search_for = TEMPLATE_HOME_DIR,.replace_with = home},
>>               {.search_for = TEMPLATE_ROLE,.replace_with = role_prefix},
>>               {NULL, NULL}
>> @@ -547,7 +546,6 @@
>>       replacement_pair_t repl[] = {
>>               {.search_for = TEMPLATE_USER,.replace_with = user},
>>               {.search_for = TEMPLATE_ROLE,.replace_with = role_prefix},
>> -             {.search_for = TEMPLATE_SEUSER,.replace_with = seuser},
>>               {NULL, NULL}
>>       };
>>       Ustr *line = USTR_NULL;
> 
> I was with you up until this, why remove seuser from genhomedircon?
> 
>> diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage.conf libsemanage-2.0.27/src/semanage.conf
>> --- nsalibsemanage/src/semanage.conf  2008-06-12 23:25:16.000000000 -0400
>> +++ libsemanage-2.0.27/src/semanage.conf      2008-08-14 14:53:32.000000000 -0400
>> @@ -35,4 +35,4 @@
>>  # given in <sepol/policydb.h>.  Change this setting if a different
>>  # version is necessary.
>>  #policy-version = 19
>> -
>> +expand-check=0
> 
> nack on this hunk. don't worry about updating the patch just for this change, I'll remove it when I merge.
>                                                                                                                          
Yes that hunk was not supposed to be there.  Sorry about that.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: libsemage patch to not compile modules for seusers and fcontext

[Joshua Brindle]

Daniel J Walsh wrote:
> Joshua Brindle wrote:
>> Daniel J Walsh wrote:
>>> Updated patch.  Comments inlined.
>>>
>>> Stephen Smalley wrote:
>>>> On Thu, 2008-08-14 at 15:46 -0400, Daniel J Walsh wrote:
>>>> Patch speeds up semanage command from 17-20 seconds to 3-4 seconds.
>>>>
>>> plain text document attachment (libsemanage-rhat.patch)
>>> diff --exclude-from=exclude -N -u -r nsalibsemanage/src/direct_api.c
>>> libsemanage-2.0.27/src/direct_api.c
>>> --- nsalibsemanage/src/direct_api.c	2008-06-12 23:25:16.000000000 -0400
>>> +++ libsemanage-2.0.27/src/direct_api.c	2008-08-14 11:51:15.000000000 -0400
>>> @@ -489,12 +489,6 @@
>>>  	modified |= ifaces->dtable->is_modified(ifaces->dbase);
>>>  	modified |= nodes->dtable->is_modified(nodes->dbase);
>>>
>>> -	/* FIXME: get rid of these, once we support loading the existing policy,
>>> -	 * instead of rebuilding it */
>>> -	modified |= seusers_modified;
>>> -	modified |= fcontexts_modified;
>>> -	modified |= users_extra_modified;
>>> -
>>>  	/* If there were policy changes, or explicitly requested, rebuild the
>>> policy */
>>>  	if (sh->do_rebuild || modified) {
>>>
>>> @@ -667,11 +661,34 @@
>>>  		retval = semanage_verify_kernel(sh);
>>>  		if (retval < 0)
>>>  			goto cleanup;
>>> -	}
>>> +	} else {
>>> +		sepol_policydb_create(&out);
>>>
>>>> We should test for failure here (out of memory condition possible).
>>> Ok I will modify
>>>
>>>
>>> +		modified |= seusers_modified;
>>> +		modified |= fcontexts_modified;
>>> +		modified |= users_extra_modified;
>>>
>>>> Should we be setting modified here or just testing for these other
>>>> _modified flags where needed?
>>> Ditto
>>> +		
>>> +		retval = semanage_read_policydb(sh, out);
>>>
>>>> Are there any other situations where we can re-use the existing kernel
>>>> policy like this?  e.g. Do we really need to re-link/expand the modules
>>>> if we aren't actually modifying modules?  Although there I suppose we
>>>> might want a copy of the policy before merging local customizations.
>>> Maybe although you would need someone who understands the library better
>>> then I do.
>>>
>>>> Also reminds me of the whole question of why we don't do incremental
>>>> linking to avoid having to re-link each time.
>>> That sounds good to me.
>>> +		if (retval < 0)
>>> +			goto cleanup;
>>> +		
>>> +		dbase_policydb_attach((dbase_policydb_t *) pusers_base->dbase,out);
>>> +		dbase_policydb_attach((dbase_policydb_t *) pports->dbase, out);
>>> +		dbase_policydb_attach((dbase_policydb_t *) pifaces->dbase, out);
>>> +		dbase_policydb_attach((dbase_policydb_t *) pbools->dbase, out);
>>> +		dbase_policydb_attach((dbase_policydb_t *) pnodes->dbase, out);
>>>
>>>> Ivan suggested these shouldn't be necessary as long as you make the
>>>> later detach conditional.  But he also raised a concern about merging
>>>> with the base seusers or users_extra from the modules?  
>>> Removed and only detach if modified is set.
>>>
>>> -	/* FIXME: else if !modified, but seusers_modified,
>>> -	 * load the existing policy instead of rebuilding */
>>> +		if (seusers_modified) {
>>> +			retval = pseusers->dtable->clear(sh, pseusers->dbase);
>>> +			if (retval < 0)
>>> +				goto cleanup;
>>>
>>>> I'm a little unclear on what this is doing - can you clarify?
>>> This is clearing the existing seusers.final file, otherwise delete was
>>> not working.
>>>
>>>
>>> +		}
>>>
>>> +		retval = semanage_base_merge_components(sh);
>>> +		if (retval < 0)
>>> +		  goto cleanup;
>>> +
>>> +		/* Seusers */
>>> +	}
>>>  	/* ======= Post-process: Validate non-policydb components ===== */
>>>
>>>  	/* Validate local modifications to file contexts.
>>> diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage_store.c
>>> libsemanage-2.0.27/src/semanage_store.c
>>> --- nsalibsemanage/src/semanage_store.c	2008-06-12 23:25:16.000000000 -0400
>>> +++ libsemanage-2.0.27/src/semanage_store.c	2008-08-08
>>> 15:23:20.000000000 -0400
>>> @@ -1648,6 +1648,47 @@
>>>  }
>>>
>>>  /**
>>> + * Read the policy from the sandbox (kernel)
>>> + */
>>> +int semanage_read_policydb(semanage_handle_t * sh, sepol_policydb_t * in)
>>> +{
>>> +
>>> +	int retval = STATUS_ERR;
>>> +	const char *kernel_filename = NULL;
>>> +	struct sepol_policy_file *pf = NULL;
>>> +	FILE *infile = NULL;
>>> +
>>> +	if ((kernel_filename =
>>> +	     semanage_path(SEMANAGE_ACTIVE, SEMANAGE_KERNEL)) == NULL) {
>>> +		goto cleanup;
>>> +	}
>>> +	if ((infile = fopen(kernel_filename, "r")) == NULL) {
>>> +		ERR(sh, "Could not open kernel policy %s for reading.",
>>> +		    kernel_filename);
>>> +		goto cleanup;
>>> +	}
>>> +	__fsetlocking(infile, FSETLOCKING_BYCALLER);
>>> +	if (sepol_policy_file_create(&pf)) {
>>> +		ERR(sh, "Out of memory!");
>>> +		goto cleanup;
>>> +	}
>>> +	sepol_policy_file_set_fp(pf, infile);
>>> +	sepol_policy_file_set_handle(pf, sh->sepolh);
>>> +	if (sepol_policydb_read(in, pf) == -1) {
>>> +		ERR(sh, "Error while reading kernel policy from %s.",
>>> +		    kernel_filename);
>>> +		goto cleanup;
>>> +	}
>>> +	retval = STATUS_SUCCESS;
>>> +
>>> +      cleanup:
>>> +	if (infile != NULL) {
>>> +		fclose(infile);
>>> +	}
>>> +	sepol_policy_file_free(pf);
>>> +	return retval;
>>> +}
>>> +/**
>>>   * Writes the final policy to the sandbox (kernel)
>>>   */
>>>  int semanage_write_policydb(semanage_handle_t * sh, sepol_policydb_t * out)
>>> diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage_store.h
>>> libsemanage-2.0.27/src/semanage_store.h
>>> --- nsalibsemanage/src/semanage_store.h	2008-06-12 23:25:16.000000000 -0400
>>> +++ libsemanage-2.0.27/src/semanage_store.h	2008-08-11
>>> 09:05:16.000000000 -0400
>>> @@ -97,6 +97,9 @@
>>>  			    sepol_module_package_t * base,
>>>  			    sepol_policydb_t ** policydb);
>>>
>>> +int semanage_read_policydb(semanage_handle_t * sh,
>>> +			    sepol_policydb_t * policydb);
>>> +
>>>  int semanage_write_policydb(semanage_handle_t * sh,
>>>  			    sepol_policydb_t * policydb);
>>>
>>>
>>>
>>> diff --exclude-from=exclude -N -u -r nsalibsemanage/src/genhomedircon.c libsemanage-2.0.27/src/genhomedircon.c
>>> --- nsalibsemanage/src/genhomedircon.c        2008-08-05 09:57:28.000000000 -0400
>>> +++ libsemanage-2.0.27/src/genhomedircon.c    2008-08-26 10:30:30.000000000 -0400
>>> @@ -487,7 +487,6 @@
>>>                                 const char *role_prefix)
>>>  {
>>>       replacement_pair_t repl[] = {
>>> -             {.search_for = TEMPLATE_SEUSER,.replace_with = seuser},
>>>               {.search_for = TEMPLATE_HOME_DIR,.replace_with = home},
>>>               {.search_for = TEMPLATE_ROLE,.replace_with = role_prefix},
>>>               {NULL, NULL}
>>> @@ -547,7 +546,6 @@
>>>       replacement_pair_t repl[] = {
>>>               {.search_for = TEMPLATE_USER,.replace_with = user},
>>>               {.search_for = TEMPLATE_ROLE,.replace_with = role_prefix},
>>> -             {.search_for = TEMPLATE_SEUSER,.replace_with = seuser},
>>>               {NULL, NULL}
>>>       };
>>>       Ustr *line = USTR_NULL;
>> I was with you up until this, why remove seuser from genhomedircon?

What about this?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: libsemage patch to not compile modules for seusers and fcontext

[Ivan Gyurdiev]

>> I'm a little unclear on what this is doing - can you clarify?
>>     
> This is clearing the existing seusers.final file, otherwise delete was
> not working.
>   
I think the previous code was doing more - it was merging the local file 
with the shipped base package file, like this:

    data = extract_file_from_policy_package( )
    write_file ( "seusers.final", data )
    if ( data != null ) {
        seusers.clear_cache()  // thereby forcing reload from 
seusers.final when cache() is called again (in merge_components)
    } else {
        seusers.clear()
    }

It's also doing this three times (once for fcontexts, once for seusers, 
once for seusers_extra).
The problem is that you're skipping the link_sandbox call, which builds 
the base package, containing this information.

Ivan



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: libsemage patch to not compile modules for seusers and fcontext

[Stephen Smalley]

On Tue, 2008-08-26 at 21:52 -0400, Ivan Gyurdiev wrote:
> >> I'm a little unclear on what this is doing - can you clarify?
> >>     
> > This is clearing the existing seusers.final file, otherwise delete was
> > not working.
> >   
> I think the previous code was doing more - it was merging the local file 
> with the shipped base package file, like this:
> 
>     data = extract_file_from_policy_package( )
>     write_file ( "seusers.final", data )
>     if ( data != null ) {
>         seusers.clear_cache()  // thereby forcing reload from 
> seusers.final when cache() is called again (in merge_components)
>     } else {
>         seusers.clear()
>     }
> 
> It's also doing this three times (once for fcontexts, once for seusers, 
> once for seusers_extra).
> The problem is that you're skipping the link_sandbox call, which builds 
> the base package, containing this information.

We're trying to avoid the overhead of re-linking the policy when we are
only modifying non-policy components like seusers and fcontexts.
fcontexts.local is split out to a separate file for precedence reasons
so it doesn't get merged anymore.  I don't think Dan actually uses
seusers in the base policy for anything at present, but others may be.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: libsemage patch to not compile modules for seusers and fcontext

[Joshua Brindle]

Stephen Smalley wrote:
> On Tue, 2008-08-26 at 21:52 -0400, Ivan Gyurdiev wrote:
>>>> I'm a little unclear on what this is doing - can you clarify?
>>>>     
>>> This is clearing the existing seusers.final file, otherwise delete was
>>> not working.
>>>   
>> I think the previous code was doing more - it was merging the local file 
>> with the shipped base package file, like this:
>>
>>     data = extract_file_from_policy_package( )
>>     write_file ( "seusers.final", data )
>>     if ( data != null ) {
>>         seusers.clear_cache()  // thereby forcing reload from 
>> seusers.final when cache() is called again (in merge_components)
>>     } else {
>>         seusers.clear()
>>     }
>>
>> It's also doing this three times (once for fcontexts, once for seusers, 
>> once for seusers_extra).
>> The problem is that you're skipping the link_sandbox call, which builds 
>> the base package, containing this information.
> 
> We're trying to avoid the overhead of re-linking the policy when we are
> only modifying non-policy components like seusers and fcontexts.
> fcontexts.local is split out to a separate file for precedence reasons
> so it doesn't get merged anymore.  I don't think Dan actually uses
> seusers in the base policy for anything at present, but others may be.
> 

Verified. The seusers coming from the policy are not merged into the seusers.final with this patchset. 

It appears that at present in sepol_link_packages() there is no merging of seusers from each module so we only support seusers in base presently. Therefore we don't have to worry about getting the seusers from all the modules but we do need to grab them out of the base module and combine them in.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: libsemage patch to not compile modules for seusers and fcontext

[Joshua Brindle]

Joshua Brindle wrote:
> Stephen Smalley wrote:
>> On Tue, 2008-08-26 at 21:52 -0400, Ivan Gyurdiev wrote:
>>>>> I'm a little unclear on what this is doing - can you clarify?
>>>>>     
>>>> This is clearing the existing seusers.final file, otherwise delete was
>>>> not working.
>>>>   
>>> I think the previous code was doing more - it was merging the local file 
>>> with the shipped base package file, like this:
>>>
>>>     data = extract_file_from_policy_package( )
>>>     write_file ( "seusers.final", data )
>>>     if ( data != null ) {
>>>         seusers.clear_cache()  // thereby forcing reload from 
>>> seusers.final when cache() is called again (in merge_components)
>>>     } else {
>>>         seusers.clear()
>>>     }
>>>
>>> It's also doing this three times (once for fcontexts, once for seusers, 
>>> once for seusers_extra).
>>> The problem is that you're skipping the link_sandbox call, which builds 
>>> the base package, containing this information.
>> We're trying to avoid the overhead of re-linking the policy when we are
>> only modifying non-policy components like seusers and fcontexts.
>> fcontexts.local is split out to a separate file for precedence reasons
>> so it doesn't get merged anymore.  I don't think Dan actually uses
>> seusers in the base policy for anything at present, but others may be.
>>
> 
> Verified. The seusers coming from the policy are not merged into the seusers.final with this patchset. 
> 
> It appears that at present in sepol_link_packages() there is no merging of seusers from each module so we only support seusers in base presently. Therefore we don't have to worry about getting the seusers from all the modules but we do need to grab them out of the base module and combine them in.
> 

semodule -B still has the expected behavior, seusers from base are added to seusers.final.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: libsemage patch to not compile modules for seusers and fcontext

[Joshua Brindle]

Joshua Brindle wrote:
> Stephen Smalley wrote:
>> On Tue, 2008-08-26 at 21:52 -0400, Ivan Gyurdiev wrote:
>>>>> I'm a little unclear on what this is doing - can you clarify?
>>>>>     
>>>> This is clearing the existing seusers.final file, otherwise delete was
>>>> not working.
>>>>   
>>> I think the previous code was doing more - it was merging the local file 
>>> with the shipped base package file, like this:
>>>
>>>     data = extract_file_from_policy_package( )
>>>     write_file ( "seusers.final", data )
>>>     if ( data != null ) {
>>>         seusers.clear_cache()  // thereby forcing reload from 
>>> seusers.final when cache() is called again (in merge_components)
>>>     } else {
>>>         seusers.clear()
>>>     }
>>>
>>> It's also doing this three times (once for fcontexts, once for seusers, 
>>> once for seusers_extra).
>>> The problem is that you're skipping the link_sandbox call, which builds 
>>> the base package, containing this information.
>> We're trying to avoid the overhead of re-linking the policy when we are
>> only modifying non-policy components like seusers and fcontexts.
>> fcontexts.local is split out to a separate file for precedence reasons
>> so it doesn't get merged anymore.  I don't think Dan actually uses
>> seusers in the base policy for anything at present, but others may be.
>>
> 
> Verified. The seusers coming from the policy are not merged into the seusers.final with this patchset. 
> 
> It appears that at present in sepol_link_packages() there is no merging of seusers from each module so we only support seusers in base presently. Therefore we don't have to worry about getting the seusers from all the modules but we do need to grab them out of the base module and combine them in.
> 

Ping on this, were you able to reproduce this Dan? I'd like to get this patch in before we do a toolchain release (which is soonish).

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: libsemage patch to not compile modules for seusers and fcontext

[Daniel J Walsh]

Joshua Brindle wrote:
> Joshua Brindle wrote:
>> Stephen Smalley wrote:
>>> On Tue, 2008-08-26 at 21:52 -0400, Ivan Gyurdiev wrote:
>>>>>> I'm a little unclear on what this is doing - can you clarify?
>>>>>>     
>>>>> This is clearing the existing seusers.final file, otherwise delete was
>>>>> not working.
>>>>>   
>>>> I think the previous code was doing more - it was merging the local file 
>>>> with the shipped base package file, like this:
>>>>
>>>>     data = extract_file_from_policy_package( )
>>>>     write_file ( "seusers.final", data )
>>>>     if ( data != null ) {
>>>>         seusers.clear_cache()  // thereby forcing reload from 
>>>> seusers.final when cache() is called again (in merge_components)
>>>>     } else {
>>>>         seusers.clear()
>>>>     }
>>>>
>>>> It's also doing this three times (once for fcontexts, once for seusers, 
>>>> once for seusers_extra).
>>>> The problem is that you're skipping the link_sandbox call, which builds 
>>>> the base package, containing this information.
>>> We're trying to avoid the overhead of re-linking the policy when we are
>>> only modifying non-policy components like seusers and fcontexts.
>>> fcontexts.local is split out to a separate file for precedence reasons
>>> so it doesn't get merged anymore.  I don't think Dan actually uses
>>> seusers in the base policy for anything at present, but others may be.
>>>
>> Verified. The seusers coming from the policy are not merged into the seusers.final with this patchset. 
>>
>> It appears that at present in sepol_link_packages() there is no merging of seusers from each module so we only support seusers in base presently. Therefore we don't have to worry about getting the seusers from all the modules but we do need to grab them out of the base module and combine them in.
>>
> 
> Ping on this, were you able to reproduce this Dan? I'd like to get this patch in before we do a toolchain release (which is soonish).

Testing results. On my rawhide system.


NOTE: Rebuild policy old fashioned way
# rpm -Uhv --force
/home/dwalsh/sources/RPMS/noarch/selinux-policy*3.5.6-2.fc10.noarch.rpm
Preparing...                ###########################################
[100%]
   1:selinux-policy         ###########################################
[ 50%]
   2:selinux-policy-targeted###########################################
[100%]


# grep root /etc/selinux/targeted/seusers
/etc/selinux/targeted/modules/active/seusers
/etc/selinux/targeted/modules/active/seusers.final
/etc/selinux/targeted/seusers:root:unconfined_u:s0-s0:c0.c1023
/etc/selinux/targeted/modules/active/seusers:root:unconfined_u:s0-s0:c0.c1023
/etc/selinux/targeted/modules/active/seusers.final:root:unconfined_u:s0-s0:c0.c1023

Note all three seusers files reference root.

# semanage login -d root
NOTE: Command did not fail.  This command is actually deleting the
customization of root to use unconfined_u.

# grep root /etc/selinux/targeted/seusers \
/etc/selinux/targeted/modules/active/seusers \
/etc/selinux/targeted/modules/active/seusers.final
/etc/selinux/targeted/seusers:root:root:s0-s0:c0.c1023
/etc/selinux/targeted/modules/active/seusers.final:root:root:s0-s0:c0.c1023

NOTE root entry is still in
/etc/selinux/targeted/modules/active/seusers.final and
/etc/selinux/targeted/seusers
But it is using SELinux User "root" now which is the default in the base
package.

# semanage login -l | grep root
root                      root                      s0-s0:c0.c1023

NOTE semanage and getseuserbyname still have root entry

# semanage login -d root
/usr/sbin/semanage: Login mapping for root is defined in policy, cannot
be deleted

NOTE If I try to delete root a second time, it gives me an error because
now there is no local customization.

So the patch does not leave us in a bad state even if the user tries to
do something evil.  But it is not perfect, the same command acts
differently depending on local customization.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: libsemage patch to not compile modules for seusers and fcontext

[Ivan Gyurdiev]

Daniel J Walsh wrote:
> Testing results. On my rawhide system.
>
>
> NOTE: Rebuild policy old fashioned way
> # rpm -Uhv --force
> /home/dwalsh/sources/RPMS/noarch/selinux-policy*3.5.6-2.fc10.noarch.rpm
> Preparing...                ###########################################
> [100%]
>    1:selinux-policy         ###########################################
> [ 50%]
>    2:selinux-policy-targeted###########################################
> [100%]
>
>
> # grep root /etc/selinux/targeted/seusers
> /etc/selinux/targeted/modules/active/seusers
> /etc/selinux/targeted/modules/active/seusers.final
> /etc/selinux/targeted/seusers:root:unconfined_u:s0-s0:c0.c1023
> /etc/selinux/targeted/modules/active/seusers:root:unconfined_u:s0-s0:c0.c1023
> /etc/selinux/targeted/modules/active/seusers.final:root:unconfined_u:s0-s0:c0.c1023
>
> Note all three seusers files reference root.
>
> # semanage login -d root
> NOTE: Command did not fail.  This command is actually deleting the
> customization of root to use unconfined_u.
>
> # grep root /etc/selinux/targeted/seusers \
> /etc/selinux/targeted/modules/active/seusers \
> /etc/selinux/targeted/modules/active/seusers.final
> /etc/selinux/targeted/seusers:root:root:s0-s0:c0.c1023
> /etc/selinux/targeted/modules/active/seusers.final:root:root:s0-s0:c0.c1023
>
> NOTE root entry is still in
> /etc/selinux/targeted/modules/active/seusers.final and
> /etc/selinux/targeted/seusers
> But it is using SELinux User "root" now which is the default in the base
> package.
>   
This is very strange, since it is really not supposed to do that - how 
does it get the "root:root:s0-s0:c0.c1023" out of the base package 
without going through here ?
Is it still going through the old code path somehow ?

                if (sepol_module_package_get_seusers_len(base)) {
                        ofilename = semanage_path(SEMANAGE_TMP, 
SEMANAGE_SEUSERS);

There are other things to worry about, such as whether prefix 
information (users_extra file) is correctly merged from the base package.

Ivan






--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: libsemage patch to not compile modules for seusers and fcontext

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 1344 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ivan Gyurdiev wrote:
> 
>>> I'm a little unclear on what this is doing - can you clarify?
>>>     
>> This is clearing the existing seusers.final file, otherwise delete was
>> not working.
>>   
> I think the previous code was doing more - it was merging the local file
> with the shipped base package file, like this:
> 
>    data = extract_file_from_policy_package( )
>    write_file ( "seusers.final", data )
>    if ( data != null ) {
>        seusers.clear_cache()  // thereby forcing reload from
> seusers.final when cache() is called again (in merge_components)
>    } else {
>        seusers.clear()
>    }
> 
> It's also doing this three times (once for fcontexts, once for seusers,
> once for seusers_extra).
> The problem is that you're skipping the link_sandbox call, which builds
> the base package, containing this information.
> 
> Ivan
> 
> 
Ok I found some problems with the previous patch and did some code
reuse.  I added a function that only read base.pp in order to handle the
 base user_extra and seusers problem.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjH2e8ACgkQrlYvE4MpobM/KwCZAQQ/GCqo2qtHVrwKdvSVyVsW
yr4An16jcLDYVX6tjzwRXRJ1kL4tugcf
=8o75
-----END PGP SIGNATURE-----

[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 12404 bytes --]

diff --exclude-from=exclude -N -u -r nsalibsemanage/src/direct_api.c libsemanage-2.0.27/src/direct_api.c
--- nsalibsemanage/src/direct_api.c	2008-08-28 09:34:24.000000000 -0400
+++ libsemanage-2.0.27/src/direct_api.c	2008-09-10 10:22:42.000000000 -0400
@@ -430,6 +430,58 @@
 	}
 	return 0;
 }
+static int semanage_direct_update_user_extra(semanage_handle_t * sh, sepol_module_package_t *base ) {
+	const char *ofilename = NULL;
+	int retval = -1;
+
+	dbase_config_t *pusers_extra = semanage_user_extra_dbase_policy(sh);
+
+	if (sepol_module_package_get_user_extra_len(base)) {
+		ofilename = semanage_path(SEMANAGE_TMP, SEMANAGE_USERS_EXTRA);
+		if (ofilename == NULL) {
+			return retval;
+		}
+		retval = write_file(sh, ofilename,
+				    sepol_module_package_get_user_extra(base),
+				    sepol_module_package_get_user_extra_len(base));
+		if (retval < 0)
+			return retval;
+
+		pusers_extra->dtable->drop_cache(pusers_extra->dbase);
+		
+	} else {
+		retval =  pusers_extra->dtable->clear(sh, pusers_extra->dbase);
+	}
+
+	return retval;
+}
+	
+
+static int semanage_direct_update_seuser(semanage_handle_t * sh, sepol_module_package_t *base ) {
+
+	const char *ofilename = NULL;
+	int retval = -1;
+
+	dbase_config_t *pseusers = semanage_seuser_dbase_policy(sh);
+
+	if (sepol_module_package_get_seusers_len(base)) {
+		ofilename = semanage_path(SEMANAGE_TMP, SEMANAGE_SEUSERS);
+		if (ofilename == NULL) {
+			return -1;
+		}
+		retval = write_file(sh, ofilename,
+				    sepol_module_package_get_seusers(base),
+				    sepol_module_package_get_seusers_len(base));
+		if (retval < 0)
+			return retval;
+		
+		pseusers->dtable->drop_cache(pseusers->dbase);
+		
+	} else {
+		retval = pseusers->dtable->clear(sh, pseusers->dbase);
+	}
+	return retval;
+}
 
 /********************* direct API functions ********************/
 
@@ -453,7 +505,6 @@
 	dbase_config_t *users_base = semanage_user_base_dbase_local(sh);
 	dbase_config_t *pusers_base = semanage_user_base_dbase_policy(sh);
 	dbase_config_t *users_extra = semanage_user_extra_dbase_local(sh);
-	dbase_config_t *pusers_extra = semanage_user_extra_dbase_policy(sh);
 	dbase_config_t *ports = semanage_port_dbase_local(sh);
 	dbase_config_t *pports = semanage_port_dbase_policy(sh);
 	dbase_config_t *bools = semanage_bool_dbase_local(sh);
@@ -465,7 +516,6 @@
 	dbase_config_t *fcontexts = semanage_fcontext_dbase_local(sh);
 	dbase_config_t *pfcontexts = semanage_fcontext_dbase_policy(sh);
 	dbase_config_t *seusers = semanage_seuser_dbase_local(sh);
-	dbase_config_t *pseusers = semanage_seuser_dbase_policy(sh);
 
 	/* Before we do anything else, flush the join to its component parts.
 	 * This *does not* flush to disk automatically */
@@ -489,12 +539,6 @@
 	modified |= ifaces->dtable->is_modified(ifaces->dbase);
 	modified |= nodes->dtable->is_modified(nodes->dbase);
 
-	/* FIXME: get rid of these, once we support loading the existing policy,
-	 * instead of rebuilding it */
-	modified |= seusers_modified;
-	modified |= fcontexts_modified;
-	modified |= users_extra_modified;
-
 	/* If there were policy changes, or explicitly requested, rebuild the policy */
 	if (sh->do_rebuild || modified) {
 
@@ -575,46 +619,13 @@
 
 		pfcontexts->dtable->drop_cache(pfcontexts->dbase);
 
-		/* Seusers */
-		if (sepol_module_package_get_seusers_len(base)) {
-			ofilename = semanage_path(SEMANAGE_TMP, SEMANAGE_SEUSERS);
-			if (ofilename == NULL) {
-				retval = -1;
-				goto cleanup;
-			}
-			retval = write_file(sh, ofilename,
-					    sepol_module_package_get_seusers(base),
-					    sepol_module_package_get_seusers_len(base));
-			if (retval < 0)
-				goto cleanup;
-
-			pseusers->dtable->drop_cache(pseusers->dbase);
-
-		} else {
-			retval = pseusers->dtable->clear(sh, pseusers->dbase);
-			if (retval < 0)
-				goto cleanup;
-		}
-
-		/* Users_extra */
-		if (sepol_module_package_get_user_extra_len(base)) {
-			ofilename = semanage_path(SEMANAGE_TMP, SEMANAGE_USERS_EXTRA);
-			if (ofilename == NULL) {
-				retval = -1;
-				goto cleanup;
-			}
-			retval = write_file(sh, ofilename,
-					    sepol_module_package_get_user_extra(base),
-					    sepol_module_package_get_user_extra_len(base));
-			if (retval < 0)
-				goto cleanup;
-			pusers_extra->dtable->drop_cache(pusers_extra->dbase);
+		retval = semanage_direct_update_seuser(sh, base );
+		if (retval < 0)
+			goto cleanup;
 
-		} else {
-			retval = pusers_extra->dtable->clear(sh, pusers_extra->dbase);
-			if (retval < 0)
-				goto cleanup;
-		}
+		retval = semanage_direct_update_user_extra(sh, base );
+		if (retval < 0)
+			goto cleanup;
 
 		/* Netfilter Contexts */
 		/* Sort the netfilter contexts. */
@@ -667,11 +678,41 @@
 		retval = semanage_verify_kernel(sh);
 		if (retval < 0)
 			goto cleanup;
-	}
+	} else {
+		retval = sepol_policydb_create(&out);
+		if (retval < 0)
+			goto cleanup;
+
+		retval = semanage_read_policydb(sh, out);
+		if (retval < 0)
+			goto cleanup;
+		
+		if (seusers_modified || users_extra_modified) {
+			retval = semanage_link_base(sh, &base);
+			if (retval < 0)
+				goto cleanup;
+
+			if (seusers_modified) {
+				retval = semanage_direct_update_seuser(sh, base );
+				if (retval < 0)
+					goto cleanup;
+			}
+			if (users_extra_modified) {
+				/* Users_extra */
+				retval = semanage_direct_update_user_extra(sh, base );
+				if (retval < 0)
+					goto cleanup;
+			}
 
-	/* FIXME: else if !modified, but seusers_modified, 
-	 * load the existing policy instead of rebuilding */
+			sepol_module_package_free(base);
+			base = NULL;
+		}
 
+		retval = semanage_base_merge_components(sh);
+		if (retval < 0)
+		  goto cleanup;
+
+	}
 	/* ======= Post-process: Validate non-policydb components ===== */
 
 	/* Validate local modifications to file contexts.
@@ -724,7 +765,8 @@
 	sepol_policydb_free(out);
 	out = NULL;
 
-	if (sh->do_rebuild || modified) {
+	if (sh->do_rebuild || modified || 
+	    seusers_modified || fcontexts_modified || users_extra_modified) {
 		retval = semanage_install_sandbox(sh);
 	}
 
@@ -733,12 +775,14 @@
 		free(mod_filenames[i]);
 	}
 
-	/* Detach from policydb, so it can be freed */
-	dbase_policydb_detach((dbase_policydb_t *) pusers_base->dbase);
-	dbase_policydb_detach((dbase_policydb_t *) pports->dbase);
-	dbase_policydb_detach((dbase_policydb_t *) pifaces->dbase);
-	dbase_policydb_detach((dbase_policydb_t *) pnodes->dbase);
-	dbase_policydb_detach((dbase_policydb_t *) pbools->dbase);
+	if (modified) {
+		/* Detach from policydb, so it can be freed */
+		dbase_policydb_detach((dbase_policydb_t *) pusers_base->dbase);
+		dbase_policydb_detach((dbase_policydb_t *) pports->dbase);
+		dbase_policydb_detach((dbase_policydb_t *) pifaces->dbase);
+		dbase_policydb_detach((dbase_policydb_t *) pnodes->dbase);
+		dbase_policydb_detach((dbase_policydb_t *) pbools->dbase);
+	}
 
 	free(mod_filenames);
 	sepol_policydb_free(out);
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage_store.c libsemanage-2.0.27/src/semanage_store.c
--- nsalibsemanage/src/semanage_store.c	2008-08-28 09:34:24.000000000 -0400
+++ libsemanage-2.0.27/src/semanage_store.c	2008-09-10 10:24:12.000000000 -0400
@@ -1608,6 +1608,41 @@
 	return retval;
 }
 
+/* Links only the base module within the sandbox into the base module.
+ * '*base' will point to the module package that contains everything
+ * linked together (caller must call sepol_module_package_destroy() on
+ * it afterwards).  '*base' will be set to NULL upon entering this
+ * function.  Returns 0 on success, -1 on error.
+ */
+int semanage_link_base(semanage_handle_t * sh,
+			  sepol_module_package_t ** base)
+{
+	const char *base_filename = NULL;
+	int retval = -1;
+
+	*base = NULL;
+
+	/* first make sure that base module is readable */
+	if ((base_filename =
+	     semanage_path(SEMANAGE_TMP, SEMANAGE_BASE)) == NULL) {
+		goto cleanup;
+	}
+	if (access(base_filename, R_OK) == -1) {
+		ERR(sh, "Could not access sandbox base file %s.",
+		    base_filename);
+		goto cleanup;
+	}
+
+	if (semanage_load_module(sh, base_filename, base) == -1) {
+		goto cleanup;
+	}
+
+	retval = 0;
+
+      cleanup:
+	return retval;
+}
+
 /* 
  * Expands the policy contained within *base 
  */
@@ -1648,6 +1683,47 @@
 }
 
 /**
+ * Read the policy from the sandbox (kernel)
+ */
+int semanage_read_policydb(semanage_handle_t * sh, sepol_policydb_t * in)
+{
+
+	int retval = STATUS_ERR;
+	const char *kernel_filename = NULL;
+	struct sepol_policy_file *pf = NULL;
+	FILE *infile = NULL;
+
+	if ((kernel_filename =
+	     semanage_path(SEMANAGE_ACTIVE, SEMANAGE_KERNEL)) == NULL) {
+		goto cleanup;
+	}
+	if ((infile = fopen(kernel_filename, "r")) == NULL) {
+		ERR(sh, "Could not open kernel policy %s for reading.",
+		    kernel_filename);
+		goto cleanup;
+	}
+	__fsetlocking(infile, FSETLOCKING_BYCALLER);
+	if (sepol_policy_file_create(&pf)) {
+		ERR(sh, "Out of memory!");
+		goto cleanup;
+	}
+	sepol_policy_file_set_fp(pf, infile);
+	sepol_policy_file_set_handle(pf, sh->sepolh);
+	if (sepol_policydb_read(in, pf) == -1) {
+		ERR(sh, "Error while reading kernel policy from %s.",
+		    kernel_filename);
+		goto cleanup;
+	}
+	retval = STATUS_SUCCESS;
+
+      cleanup:
+	if (infile != NULL) {
+		fclose(infile);
+	}
+	sepol_policy_file_free(pf);
+	return retval;
+}
+/**
  * Writes the final policy to the sandbox (kernel)
  */
 int semanage_write_policydb(semanage_handle_t * sh, sepol_policydb_t * out)
diff --exclude-from=exclude -N -u -r nsalibsemanage/src/semanage_store.h libsemanage-2.0.27/src/semanage_store.h
--- nsalibsemanage/src/semanage_store.h	2008-08-28 09:34:24.000000000 -0400
+++ libsemanage-2.0.27/src/semanage_store.h	2008-09-10 10:22:42.000000000 -0400
@@ -93,10 +93,16 @@
 int semanage_link_sandbox(semanage_handle_t * sh,
 			  sepol_module_package_t ** base);
 
+int semanage_link_base(semanage_handle_t * sh,
+		       sepol_module_package_t ** base);
+
 int semanage_expand_sandbox(semanage_handle_t * sh,
 			    sepol_module_package_t * base,
 			    sepol_policydb_t ** policydb);
 
+int semanage_read_policydb(semanage_handle_t * sh,
+			    sepol_policydb_t * policydb);
+
 int semanage_write_policydb(semanage_handle_t * sh,
 			    sepol_policydb_t * policydb);
 
diff --exclude-from=exclude -N -u -r nsalibsemanage/tests/test_fcontext.c libsemanage-2.0.27/tests/test_fcontext.c
--- nsalibsemanage/tests/test_fcontext.c	1969-12-31 19:00:00.000000000 -0500
+++ libsemanage-2.0.27/tests/test_fcontext.c	2008-09-10 10:22:42.000000000 -0400
@@ -0,0 +1,72 @@
+#include <semanage/fcontext_record.h>
+#include <semanage/semanage.h>
+#include <semanage/fcontexts_local.h>
+#include <sepol/sepol.h>
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+int main(const int argc, const char **argv) {
+	semanage_handle_t *sh = NULL;
+	semanage_fcontext_t *fcontext;
+	semanage_context_t *con;
+	semanage_fcontext_key_t *k;
+
+	int exist = 0;
+	sh = semanage_handle_create();
+	if (sh == NULL) { 
+		perror("Can't create semanage handle\n");
+		return -1;
+	}
+        if (semanage_access_check(sh) < 0) {
+		perror("Semanage access check failed\n");
+		return -1;
+	}
+        if (semanage_connect(sh) < 0) {
+		perror("Semanage connect failed\n");
+		return -1;
+	}
+
+	if (semanage_fcontext_key_create(sh, argv[2], SEMANAGE_FCONTEXT_REG, &k) < 0) {
+		fprintf(stderr, "Could not create key for %s", argv[2]);
+		return -1;
+	}
+
+	if(semanage_fcontext_exists(sh, k, &exist) < 0) {
+		fprintf(stderr,"Could not check if key exists for %s", argv[2]);
+		return -1;
+	}
+	if (exist) {
+		fprintf(stderr,"Could create %s mapping already exists", argv[2]);
+		return -1;
+	}
+
+	if (semanage_fcontext_create(sh, &fcontext) < 0) {
+		fprintf(stderr,"Could not create file context for %s", argv[2]);
+		return -1;
+	}
+	semanage_fcontext_set_expr(sh, fcontext, argv[2]);
+
+	if (semanage_context_from_string(sh, argv[1], &con)) {
+		fprintf(stderr,"Could not create context using %s for file context %s", argv[1], argv[2]);
+		return -1;
+	}
+
+	if (semanage_fcontext_set_con(sh, fcontext, con) < 0) {
+		fprintf(stderr,"Could not set file context for %s", argv[2]);
+		return -1;
+	}
+
+	semanage_fcontext_set_type(fcontext, SEMANAGE_FCONTEXT_REG);
+
+	if(semanage_fcontext_modify_local(sh, k, fcontext) < 0) {
+		fprintf(stderr,"Could not add file context for %s", argv[2]);
+		return -1;
+	}
+	semanage_fcontext_key_free(k);
+	semanage_fcontext_free(fcontext);
+
+	return 0;
+}
+

[-- Attachment #3: diff.sig --]
[-- Type: application/octet-stream, Size: 72 bytes --]

Re: libsemage patch to not compile modules for seusers and fcontext

[Ivan Gyurdiev]

Daniel J Walsh wrote:
> Ok I found some problems with the previous patch and did some code
> reuse.  I added a function that only read base.pp in order to handle the
>  base user_extra and seusers problem.
>   

This is starting to look better - I see no obvious correctness issues.
The function still seems much too large to maintain - maybe fcontext and 
module stuff can also be broken out into sub-functions ?

ivan



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: libsemage patch to not compile modules for seusers and fcontext

[Joshua Brindle]

Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Ivan Gyurdiev wrote:
>>>> I'm a little unclear on what this is doing - can you clarify?
>>>>     
>>> This is clearing the existing seusers.final file, otherwise delete was
>>> not working.
>>>   
>> I think the previous code was doing more - it was merging the local file
>> with the shipped base package file, like this:
>>
>>    data = extract_file_from_policy_package( )
>>    write_file ( "seusers.final", data )
>>    if ( data != null ) {
>>        seusers.clear_cache()  // thereby forcing reload from
>> seusers.final when cache() is called again (in merge_components)
>>    } else {
>>        seusers.clear()
>>    }
>>
>> It's also doing this three times (once for fcontexts, once for seusers,
>> once for seusers_extra).
>> The problem is that you're skipping the link_sandbox call, which builds
>> the base package, containing this information.
>>
>> Ivan
>>
>>
> Ok I found some problems with the previous patch and did some code
> reuse.  I added a function that only read base.pp in order to handle the
>  base user_extra and seusers problem.
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
> 
> iEYEARECAAYFAkjH2e8ACgkQrlYvE4MpobM/KwCZAQQ/GCqo2qtHVrwKdvSVyVsW
> yr4An16jcLDYVX6tjzwRXRJ1kL4tugcf
> =8o75
> -----END PGP SIGNATURE-----
> 

The patch looks good but the test looks like it was written to be standalone and make test under libsemanage won't compile anymore (duplicate definition of main()). Please use the CUnit test infrastructure we have in place.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: libsemage patch to not compile modules for seusers and fcontext

[Daniel J Walsh]

Joshua Brindle wrote:
> Daniel J Walsh wrote:
> Ivan Gyurdiev wrote:
>>>>>> I'm a little unclear on what this is doing - can you clarify?
>>>>>>     
>>>>> This is clearing the existing seusers.final file, otherwise delete was
>>>>> not working.
>>>>>   
>>>> I think the previous code was doing more - it was merging the local file
>>>> with the shipped base package file, like this:
>>>>
>>>>    data = extract_file_from_policy_package( )
>>>>    write_file ( "seusers.final", data )
>>>>    if ( data != null ) {
>>>>        seusers.clear_cache()  // thereby forcing reload from
>>>> seusers.final when cache() is called again (in merge_components)
>>>>    } else {
>>>>        seusers.clear()
>>>>    }
>>>>
>>>> It's also doing this three times (once for fcontexts, once for seusers,
>>>> once for seusers_extra).
>>>> The problem is that you're skipping the link_sandbox call, which builds
>>>> the base package, containing this information.
>>>>
>>>> Ivan
>>>>
>>>>
> Ok I found some problems with the previous patch and did some code
> reuse.  I added a function that only read base.pp in order to handle the
>  base user_extra and seusers problem.
> 
> 
>>

> The patch looks good but the test looks like it was written to be standalone and make test under libsemanage won't compile anymore (duplicate definition of main()). Please use the CUnit test infrastructure we have in place.

How about we create a new directory called examples and throw it there.

I wrote this up as an example to be used by libvirt guys to assign a
context on the fly.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: libsemage patch to not compile modules for seusers and fcontext

[Joshua Brindle]

Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Ivan Gyurdiev wrote:
>>>> I'm a little unclear on what this is doing - can you clarify?
>>>>     
>>> This is clearing the existing seusers.final file, otherwise delete was
>>> not working.
>>>   
>> I think the previous code was doing more - it was merging the local file
>> with the shipped base package file, like this:
>>
>>    data = extract_file_from_policy_package( )
>>    write_file ( "seusers.final", data )
>>    if ( data != null ) {
>>        seusers.clear_cache()  // thereby forcing reload from
>> seusers.final when cache() is called again (in merge_components)
>>    } else {
>>        seusers.clear()
>>    }
>>
>> It's also doing this three times (once for fcontexts, once for seusers,
>> once for seusers_extra).
>> The problem is that you're skipping the link_sandbox call, which builds
>> the base package, containing this information.
>>
>> Ivan
>>
>>
> Ok I found some problems with the previous patch and did some code
> reuse.  I added a function that only read base.pp in order to handle the
>  base user_extra and seusers problem.
> 

Merged into libsemanage 2.0.28

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.