[refpolicy] What is the best way to trim out modules, apps from refpolicy when building monolithic policy.

[refpolicy] What is the best way to trim out modules, apps from refpolicy when building monolithic policy.

[Sam Gandhi]

Hello,

I want try and build monolithic policy based on the reference policy
available via  refpolicy.git (git clone
http://oss.tresys.com/git/refpolicy.git)

I have made changes to top level build.conf file to set MONOLITHIC = y.

But I haven't yet come across way to trim out  apps/ and modules we
don't run on our device.

Is there easy way to specify this or I should just removing files from
policy/modules/ & modules which I know don't run on our device
unwanted files?

The target I am working with has only 64MB memory and 256MB flash.

-Sam

[refpolicy] What is the best way to trim out modules, apps from refpolicy when building monolithic policy.

[Dominick Grift]

Wnen you do "make config" it creates a modules.conf i believe. You can
remove modules from that file and then those should not be built i
believe.

You can also include a custom modules.conf in your package and replace
that by the one that is generated before you actually compile the
policy.

Fedora does this as well because it wants to use a different collection
of modules depending on the policy model.

e.g. include this model is the model is targeted but exclude it if the
model is mls etc.

But you can also just remove the modules.

The eclipse-slide Selinux ide also gives the possibility to
include/exclude modules in the project properties.

On Fri, 2011-06-10 at 08:56 -0700, Sam Gandhi wrote:
> Hello,
> 
> I want try and build monolithic policy based on the reference policy
> available via  refpolicy.git (git clone
> http://oss.tresys.com/git/refpolicy.git)
> 
> I have made changes to top level build.conf file to set MONOLITHIC = y.
> 
> But I haven't yet come across way to trim out  apps/ and modules we
> don't run on our device.
> 
> Is there easy way to specify this or I should just removing files from
> policy/modules/ & modules which I know don't run on our device
> unwanted files?
> 
> The target I am working with has only 64MB memory and 256MB flash.
> 
> -Sam
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110610/ce91595b/attachment.bin 

[refpolicy] What is the best way to trim out modules, apps from refpolicy when building monolithic policy.

[Christopher J. PeBenito]

On 06/10/11 12:05, Dominick Grift wrote:
> Wnen you do "make config" it creates a modules.conf i believe. You can
> remove modules from that file and then those should not be built i
> believe.
> 
> You can also include a custom modules.conf in your package and replace
> that by the one that is generated before you actually compile the
> policy.

I suggest the above, rather than deleting files out of the tree.  This
is one of the reasons we have a modules.conf for the policy.  The 'make
conf' target will create a modules.conf if you don't have one.

> Fedora does this as well because it wants to use a different collection
> of modules depending on the policy model.
> 
> e.g. include this model is the model is targeted but exclude it if the
> model is mls etc.
> 
> But you can also just remove the modules.
> 
> The eclipse-slide Selinux ide also gives the possibility to
> include/exclude modules in the project properties.
> 
> On Fri, 2011-06-10 at 08:56 -0700, Sam Gandhi wrote:
>> Hello,
>>
>> I want try and build monolithic policy based on the reference policy
>> available via  refpolicy.git (git clone
>> http://oss.tresys.com/git/refpolicy.git)
>>
>> I have made changes to top level build.conf file to set MONOLITHIC = y.
>>
>> But I haven't yet come across way to trim out  apps/ and modules we
>> don't run on our device.
>>
>> Is there easy way to specify this or I should just removing files from
>> policy/modules/ & modules which I know don't run on our device
>> unwanted files?
>>
>> The target I am working with has only 64MB memory and 256MB flash.
>>
>> -Sam
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] What is the best way to trim out modules, apps from refpolicy when building monolithic policy.

[Sam Gandhi]

On Fri, Jun 10, 2011 at 9:34 AM, Christopher J. PeBenito
<cpebenito@tresys.com> wrote:
> On 06/10/11 12:05, Dominick Grift wrote:
>> Wnen you do "make config" it creates a modules.conf i believe. You can
>> remove modules from that file and then those should not be built i
>> believe.
>>
>> You can also include a custom modules.conf in your package and replace
>> that by the one that is generated before you actually compile the
>> policy.
>
> I suggest the above, rather than deleting files out of the tree. ?This
> is one of the reasons we have a modules.conf for the policy. ?The 'make
> conf' target will create a modules.conf if you don't have one.
>

I have created the modules.conf and things are progressing. What I am
finding say I enable module ssh, now it wants me to enable the mail
module also.

Now is it considered right thing to do go ahead and just edit ssh.if
file and take out mta_getattr_spool($1_t) or there is better way to
untangle the interdependency between the modules?

Should I introduce a boolean variable in policy/booleans.conf and make
it tunable_policy('platform_has_mail', .. and send out the change for
diff in case someone else might be interested?

-Sam

[refpolicy] What is the best way to trim out modules, apps from refpolicy when building monolithic policy.

[Guido Trentalancia]

Hi Sam !

On Fri, 2011-06-10 at 10:52 -0700, Sam Gandhi wrote:
> On Fri, Jun 10, 2011 at 9:34 AM, Christopher J. PeBenito
> <cpebenito@tresys.com> wrote:
> > On 06/10/11 12:05, Dominick Grift wrote:
> >> Wnen you do "make config" it creates a modules.conf i believe. You can
> >> remove modules from that file and then those should not be built i
> >> believe.
> >>
> >> You can also include a custom modules.conf in your package and replace
> >> that by the one that is generated before you actually compile the
> >> policy.
> >
> > I suggest the above, rather than deleting files out of the tree.  This
> > is one of the reasons we have a modules.conf for the policy.  The 'make
> > conf' target will create a modules.conf if you don't have one.
> >
> 
> I have created the modules.conf and things are progressing. What I am
> finding say I enable module ssh, now it wants me to enable the mail
> module also.
> 
> Now is it considered right thing to do go ahead and just edit ssh.if
> file and take out mta_getattr_spool($1_t) or there is better way to
> untangle the interdependency between the modules?

Perhaps you're looking for optional_policy() ?

> Should I introduce a boolean variable in policy/booleans.conf and make
> it tunable_policy('platform_has_mail', .. and send out the change for
> diff in case someone else might be interested?
> 
> -Sam

Guido