apol and active modules

apol and active modules

[Russell Coker]

Why can't apol (at least version 3.3.6.ds) parse the files in 
/etc/selinux/$SELINUXTYPE/modules/active/modules?  Is this considered a bug or 
a wontfix thing?
-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: apol and active modules

[Christopher J. PeBenito]

On 07/24/11 07:26, Russell Coker wrote:
> Why can't apol (at least version 3.3.6.ds) parse the files in
> /etc/selinux/$SELINUXTYPE/modules/active/modules?  Is this considered a bug or
> a wontfix thing?

Can you be more specific about your usage?  There shouldn't be a problem 
looking at those, since they're just a copy of what you install via 
semodule -i/-b.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: apol and active modules

[Russell Coker]

On Mon, 25 Jul 2011, "Christopher J. PeBenito" <cpebenito@tresys.com> wrote:
> On 07/24/11 07:26, Russell Coker wrote:
> > Why can't apol (at least version 3.3.6.ds) parse the files in
> > /etc/selinux/$SELINUXTYPE/modules/active/modules?  Is this considered a
> > bug or a wontfix thing?
> 
> Can you be more specific about your usage?  There shouldn't be a problem
> looking at those, since they're just a copy of what you install via
> semodule -i/-b.

# diff /usr/share/selinux/default/base.pp \ 
/etc/selinux/default/modules/active/base.pp 
Binary files /usr/share/selinux/default/base.pp and 
/etc/selinux/default/modules/active/base.pp differ

The files are not just a copy.

When /tmp/base.pp is a copy of /etc/selinux/default/modules/active/base.pp I 
get the following:

$ apol  /tmp/base.pp 
Initializing libqpol... done.
Initializing libapol... done.
Initializing libsefs... done.
Initializing libapol_tcl... done.
Initializing Tk... done.
(unknown source)::ERROR 'syntax error' at token 'BZh91AY' on line 1:

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: apol and active modules

[Christopher J. PeBenito]

On 07/25/11 08:48, Russell Coker wrote:
> On Mon, 25 Jul 2011, "Christopher J. PeBenito"<cpebenito@tresys.com>  wrote:
>> On 07/24/11 07:26, Russell Coker wrote:
>>> Why can't apol (at least version 3.3.6.ds) parse the files in
>>> /etc/selinux/$SELINUXTYPE/modules/active/modules?  Is this considered a
>>> bug or a wontfix thing?
>>
>> Can you be more specific about your usage?  There shouldn't be a problem
>> looking at those, since they're just a copy of what you install via
>> semodule -i/-b.
>
> # diff /usr/share/selinux/default/base.pp \
> /etc/selinux/default/modules/active/base.pp
> Binary files /usr/share/selinux/default/base.pp and
> /etc/selinux/default/modules/active/base.pp differ
>
> The files are not just a copy.

It sounds like there might be some corruption.  I did the same diff on 
my system and came up with no changes.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: apol and active modules

[Russell Coker]

On Mon, 25 Jul 2011, "Christopher J. PeBenito" <cpebenito@tresys.com> wrote:
> > The files are not just a copy.
> 
> It sounds like there might be some corruption.  I did the same diff on 
> my system and came up with no changes.

On Debian/Squeeze and Debian/Unstable I can reliably rebuild the policy (via 
the selinux-policy-upgrade script that runs semodule to reinsert all modules 
from the original policy tree) and get the same result.  Every time it results 
in different files in the active tree and apol not liking them.

It must be an issue of which versions of the libraries etc are being used.  
The systems work quite well like this, I just have to use the original .pp 
files for apol.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: apol and active modules

[Stephen Smalley]

On Mon, 2011-07-25 at 22:48 +1000, Russell Coker wrote:
> On Mon, 25 Jul 2011, "Christopher J. PeBenito" <cpebenito@tresys.com> wrote:
> > On 07/24/11 07:26, Russell Coker wrote:
> > > Why can't apol (at least version 3.3.6.ds) parse the files in
> > > /etc/selinux/$SELINUXTYPE/modules/active/modules?  Is this considered a
> > > bug or a wontfix thing?
> > 
> > Can you be more specific about your usage?  There shouldn't be a problem
> > looking at those, since they're just a copy of what you install via
> > semodule -i/-b.
> 
> # diff /usr/share/selinux/default/base.pp \ 
> /etc/selinux/default/modules/active/base.pp 
> Binary files /usr/share/selinux/default/base.pp and 
> /etc/selinux/default/modules/active/base.pp differ
> 
> The files are not just a copy.
> 
> When /tmp/base.pp is a copy of /etc/selinux/default/modules/active/base.pp I 
> get the following:
> 
> $ apol  /tmp/base.pp 
> Initializing libqpol... done.
> Initializing libapol... done.
> Initializing libsefs... done.
> Initializing libapol_tcl... done.
> Initializing Tk... done.
> (unknown source)::ERROR 'syntax error' at token 'BZh91AY' on line 1:

BZh is the bzip2 magic string.  I'd guess your installed modules are
compressed (the default) and thus can't be opened by apol unless it
knows to decompress them first?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: apol and active modules

[Christopher J. PeBenito]

On 07/25/11 10:08, Stephen Smalley wrote:
> On Mon, 2011-07-25 at 22:48 +1000, Russell Coker wrote:
>> On Mon, 25 Jul 2011, "Christopher J. PeBenito"<cpebenito@tresys.com>  wrote:
>>> On 07/24/11 07:26, Russell Coker wrote:
>>>> Why can't apol (at least version 3.3.6.ds) parse the files in
>>>> /etc/selinux/$SELINUXTYPE/modules/active/modules?  Is this considered a
>>>> bug or a wontfix thing?
>>>
>>> Can you be more specific about your usage?  There shouldn't be a problem
>>> looking at those, since they're just a copy of what you install via
>>> semodule -i/-b.
>>
>> # diff /usr/share/selinux/default/base.pp \
>> /etc/selinux/default/modules/active/base.pp
>> Binary files /usr/share/selinux/default/base.pp and
>> /etc/selinux/default/modules/active/base.pp differ
>>
>> The files are not just a copy.
>>
>> When /tmp/base.pp is a copy of /etc/selinux/default/modules/active/base.pp I
>> get the following:
>>
>> $ apol  /tmp/base.pp
>> Initializing libqpol... done.
>> Initializing libapol... done.
>> Initializing libsefs... done.
>> Initializing libapol_tcl... done.
>> Initializing Tk... done.
>> (unknown source)::ERROR 'syntax error' at token 'BZh91AY' on line 1:
>
> BZh is the bzip2 magic string.  I'd guess your installed modules are
> compressed (the default) and thus can't be opened by apol unless it
> knows to decompress them first?

Ah, I forgot about that.  SETools gained the bzip2 support in 3.3.7.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.