From: "Christopher J. PeBenito" <cpebenito@tresys.com>
To: jwcart2@tycho.nsa.gov
Cc: Dominick Grift <domg472@gmail.com>, selinux@tycho.nsa.gov
Subject: Re: analysing optional policy
Date: Tue, 30 Nov 2010 13:45:09 -0500 [thread overview]
Message-ID: <4CF54635.4080707@tresys.com> (raw)
In-Reply-To: <1291140706.1328.47.camel@moss-lions.epoch.ncsc.mil>
On 11/30/10 13:11, James Carter wrote:
> On Tue, 2010-11-30 at 17:45 +0100, Dominick Grift wrote:
> On 11/30/2010 04:36 PM, James Carter wrote:
>>>> On Fri, 2010-11-26 at 20:55 +1100, Russell Coker wrote:
>>>>> I'm having a problem with optional policy not being used when I think it
>>>>> should.
>>>>>
>>>>> Is it possible to use apol to get information on optional policy for .pp files
>>>>> so I can try to work out why it doesn't get enabled?
>>>>>
>>>>> unconfined_run_to(depmod_t, depmod_exec_t)
>>>>>
>>>>> In the Debian policy I have the above in an optional section of base.pp but
>>>>> for reasons that I don't understand it's not being loaded (both tests and
>>>>> running apol on policy.24 show this).
>>>>>
>>>>> I've inspected the contents of base.conf and they appear to be OK.
>>>>>
>>>>> Any suggestions of other tools to analyse this will be appreciated.
>
>> This may not be applicable here but do double check the module. I have
>> experienced similar issues where optional policy blocks were not loaded,
>> without any errors shown.
>
> Not being defined is not an error in an optional block, it just means
> the optional block is not to be used.
>
> It is expected that there will be a lot of unused optional blocks if
> only some modules are being used. Reporting everything not defined
> would not be helpful in this case.
>
> This behavior of silently removing optional blocks can, however, cause
> real errors to be missed.
At first I was going to suggest an extra-verbose or a debug mode on the
toolchain to help on this, but I suspect that identifying the block in a
useful fashion wouldn't be possible. When resolving the blocks, is
there even any reference to the module it comes from? Beyond that,
there probably aren't line numbers either, so it couldn't have messages
like "block disabled: optional beginning on line 123 from foo.pp."
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2010-11-30 18:45 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-11-26 9:55 analysing optional policy Russell Coker
2010-11-30 15:36 ` James Carter
2010-11-30 16:45 ` Dominick Grift
2010-11-30 18:11 ` James Carter
2010-11-30 18:26 ` Dominick Grift
2010-11-30 18:45 ` Christopher J. PeBenito [this message]
2010-11-30 18:58 ` James Carter
2010-11-30 18:44 ` James Carter
2010-11-30 21:35 ` Daniel J Walsh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4CF54635.4080707@tresys.com \
--to=cpebenito@tresys.com \
--cc=domg472@gmail.com \
--cc=jwcart2@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.