* Re: Boolean change of names.
2012-06-11 17:34 ` Stephen Smalley
@ 2012-06-11 17:38 ` Daniel J Walsh
2012-06-11 17:45 ` Stephen Smalley
2012-06-11 17:49 ` Daniel J Walsh
2012-06-11 17:49 ` Christopher J. PeBenito
2 siblings, 1 reply; 10+ messages in thread
From: Daniel J Walsh @ 2012-06-11 17:38 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Eric Paris, Eric Paris, SELinux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 06/11/2012 01:34 PM, Stephen Smalley wrote:
> On Mon, 2012-06-11 at 13:21 -0400, Eric Paris wrote:
>> On Mon, Jun 11, 2012 at 12:51 PM, Stephen Smalley <sds@tycho.nsa.gov>
>> wrote:
>>> On Mon, 2012-06-11 at 12:12 -0400, Daniel J Walsh wrote:
>>>> We have started pushing a boolean change into Fedora 18.
>>>>
>>>> https://fedoraproject.org/wiki/Features/SELinuxBooleansRename
>>>>
>>>> The problem we are seeing is that boolean names used within an
>>>> interface are causing the install to fail on rebuild of policy.
>>>>
>>>> IE If I installed a custom policy with a boolean used in it, and the
>>>> boolean changed then the module will blow up the policy compile.
>>>>
>>>>
>>>> interface(`kerberos_manage_host_rcache',` gen_require(` type
>>>> krb5_host_rcache_t; ')
>>>>
>>>> ...
>>>>
>>>> tunable_policy(`allow_kerberos',` allow $1 self:process setfscreate;
>>>> ... ')
>>>>
>>>> ... ')
>>>>
>>>> And change the allow_kerberos to kerberos_enabled.
>>>>
>>>> One idea would be to pull the translations into the semanage, or
>>>> would I need to do this at a lower level. Or are we stuck with these
>>>> bad names forever...
>>>
>>> Adding boolean aliases to the policy language, including kernel
>>> support, seems like the best route if you truly want to do this.
>>
>> What does 'including kernel support' mean? Expose both names in the
>> booleans/ directory?
>
> Yes, you would need to do that if you want [gs]etsebool or semanage boolean
> to support use of either name.
>
> I guess if you only want this support for policy modules, you could do it
> entirely within libsepol and have it remap all aliases to their primary
> names during policy link/expand.
>
>
Yes that is what I am suggesting. Can libsepol call into libselinux? I have
exported an selinux_boolean_sub function which returns either the translated
name or the original.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk/WLQ8ACgkQrlYvE4MpobOUZQCdF4HYNPZo+qRLnFBmv5K7ly+D
B2MAn34JnQfdR/l68UBPZ6sB3gUVOHuJ
=h9DE
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Boolean change of names.
2012-06-11 17:38 ` Daniel J Walsh
@ 2012-06-11 17:45 ` Stephen Smalley
2012-06-11 17:49 ` Eric Paris
0 siblings, 1 reply; 10+ messages in thread
From: Stephen Smalley @ 2012-06-11 17:45 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: Eric Paris, Eric Paris, SELinux
On Mon, 2012-06-11 at 13:38 -0400, Daniel J Walsh wrote:
> On 06/11/2012 01:34 PM, Stephen Smalley wrote:
> > On Mon, 2012-06-11 at 13:21 -0400, Eric Paris wrote:
> >> On Mon, Jun 11, 2012 at 12:51 PM, Stephen Smalley <sds@tycho.nsa.gov>
> >> wrote:
> >>> On Mon, 2012-06-11 at 12:12 -0400, Daniel J Walsh wrote:
> >>>> We have started pushing a boolean change into Fedora 18.
> >>>>
> >>>> https://fedoraproject.org/wiki/Features/SELinuxBooleansRename
> >>>>
> >>>> The problem we are seeing is that boolean names used within an
> >>>> interface are causing the install to fail on rebuild of policy.
> >>>>
> >>>> IE If I installed a custom policy with a boolean used in it, and the
> >>>> boolean changed then the module will blow up the policy compile.
> >>>>
> >>>>
> >>>> interface(`kerberos_manage_host_rcache',` gen_require(` type
> >>>> krb5_host_rcache_t; ')
> >>>>
> >>>> ...
> >>>>
> >>>> tunable_policy(`allow_kerberos',` allow $1 self:process setfscreate;
> >>>> ... ')
> >>>>
> >>>> ... ')
> >>>>
> >>>> And change the allow_kerberos to kerberos_enabled.
> >>>>
> >>>> One idea would be to pull the translations into the semanage, or
> >>>> would I need to do this at a lower level. Or are we stuck with these
> >>>> bad names forever...
> >>>
> >>> Adding boolean aliases to the policy language, including kernel
> >>> support, seems like the best route if you truly want to do this.
> >>
> >> What does 'including kernel support' mean? Expose both names in the
> >> booleans/ directory?
> >
> > Yes, you would need to do that if you want [gs]etsebool or semanage boolean
> > to support use of either name.
> >
> > I guess if you only want this support for policy modules, you could do it
> > entirely within libsepol and have it remap all aliases to their primary
> > names during policy link/expand.
> >
> >
> Yes that is what I am suggesting. Can libsepol call into libselinux? I have
> exported an selinux_boolean_sub function which returns either the translated
> name or the original.
No, libsepol isn't supposed to call libselinux. Tools like checkpolicy
that call libsepol need to work even on non-SELinux (and even non-Linux)
platforms.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Boolean change of names.
2012-06-11 17:45 ` Stephen Smalley
@ 2012-06-11 17:49 ` Eric Paris
0 siblings, 0 replies; 10+ messages in thread
From: Eric Paris @ 2012-06-11 17:49 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Daniel J Walsh, Eric Paris, SELinux
On Mon, Jun 11, 2012 at 1:45 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On Mon, 2012-06-11 at 13:38 -0400, Daniel J Walsh wrote:
> No, libsepol isn't supposed to call libselinux. Tools like checkpolicy
> that call libsepol need to work even on non-SELinux (and even non-Linux)
> platforms.
Agreed alternate names should be a first class citizen and part of
policy proper. I'm trying to decide if we should move the get/set
translator to load the policydb and find alternates that way or should
we generate the alternate names as a file at build time and use that
small translation file (like we tried today)?
-Eric
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Boolean change of names.
2012-06-11 17:34 ` Stephen Smalley
2012-06-11 17:38 ` Daniel J Walsh
@ 2012-06-11 17:49 ` Daniel J Walsh
2012-06-11 17:49 ` Christopher J. PeBenito
2 siblings, 0 replies; 10+ messages in thread
From: Daniel J Walsh @ 2012-06-11 17:49 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Eric Paris, Eric Paris, SELinux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 06/11/2012 01:34 PM, Stephen Smalley wrote:
> On Mon, 2012-06-11 at 13:21 -0400, Eric Paris wrote:
>> On Mon, Jun 11, 2012 at 12:51 PM, Stephen Smalley <sds@tycho.nsa.gov>
>> wrote:
>>> On Mon, 2012-06-11 at 12:12 -0400, Daniel J Walsh wrote:
>>>> We have started pushing a boolean change into Fedora 18.
>>>>
>>>> https://fedoraproject.org/wiki/Features/SELinuxBooleansRename
>>>>
>>>> The problem we are seeing is that boolean names used within an
>>>> interface are causing the install to fail on rebuild of policy.
>>>>
>>>> IE If I installed a custom policy with a boolean used in it, and the
>>>> boolean changed then the module will blow up the policy compile.
>>>>
>>>>
>>>> interface(`kerberos_manage_host_rcache',` gen_require(` type
>>>> krb5_host_rcache_t; ')
>>>>
>>>> ...
>>>>
>>>> tunable_policy(`allow_kerberos',` allow $1 self:process setfscreate;
>>>> ... ')
>>>>
>>>> ... ')
>>>>
>>>> And change the allow_kerberos to kerberos_enabled.
>>>>
>>>> One idea would be to pull the translations into the semanage, or
>>>> would I need to do this at a lower level. Or are we stuck with these
>>>> bad names forever...
>>>
>>> Adding boolean aliases to the policy language, including kernel
>>> support, seems like the best route if you truly want to do this.
>>
>> What does 'including kernel support' mean? Expose both names in the
>> booleans/ directory?
>
> Yes, you would need to do that if you want [gs]etsebool or semanage boolean
> to support use of either name.
>
> I guess if you only want this support for policy modules, you could do it
> entirely within libsepol and have it remap all aliases to their primary
> names during policy link/expand.
>
>
Adding a
boolalias newbool alias oldbool;
Is fine with me, although I still think we would need to generate a
translation table for libselinux.
getsebool allow_ypbind
nis_enabled --> off
And the kernel does not see the aliases.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk/WL6gACgkQrlYvE4MpobM7DQCglWRmFTs5UAsO2RiJMiDc5F+0
BK0AoOrmGk7uS3MJD9Vxu5/CkO3LHHSr
=HgF6
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: Boolean change of names.
2012-06-11 17:34 ` Stephen Smalley
2012-06-11 17:38 ` Daniel J Walsh
2012-06-11 17:49 ` Daniel J Walsh
@ 2012-06-11 17:49 ` Christopher J. PeBenito
2 siblings, 0 replies; 10+ messages in thread
From: Christopher J. PeBenito @ 2012-06-11 17:49 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Eric Paris, Daniel J Walsh, Eric Paris, SELinux
On 06/11/12 13:34, Stephen Smalley wrote:
> On Mon, 2012-06-11 at 13:21 -0400, Eric Paris wrote:
>> On Mon, Jun 11, 2012 at 12:51 PM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
>>> On Mon, 2012-06-11 at 12:12 -0400, Daniel J Walsh wrote:
>>>> We have started pushing a boolean change into Fedora 18.
>>>>
>>>> https://fedoraproject.org/wiki/Features/SELinuxBooleansRename
>>>>
>>>> The problem we are seeing is that boolean names used within an interface are
>>>> causing the install to fail on rebuild of policy.
>>>>
>>>> IE If I installed a custom policy with a boolean used in it, and the boolean
>>>> changed then the module will blow up the policy compile.
>>>>
>>>>
>>>> interface(`kerberos_manage_host_rcache',`
>>>> gen_require(`
>>>> type krb5_host_rcache_t;
>>>> ')
>>>>
>>>> ...
>>>>
>>>> tunable_policy(`allow_kerberos',`
>>>> allow $1 self:process setfscreate;
>>>> ...
>>>> ')
>>>>
>>>> ...
>>>> ')
>>>>
>>>> And change the allow_kerberos to kerberos_enabled.
>>>>
>>>> One idea would be to pull the translations into the semanage, or would I need
>>>> to do this at a lower level. Or are we stuck with these bad names forever...
>>>
>>> Adding boolean aliases to the policy language, including kernel support,
>>> seems like the best route if you truly want to do this.
>>
>> What does 'including kernel support' mean? Expose both names in the
>> booleans/ directory?
>
> Yes, you would need to do that if you want [gs]etsebool or semanage
> boolean to support use of either name.
>
> I guess if you only want this support for policy modules, you could do
> it entirely within libsepol and have it remap all aliases to their
> primary names during policy link/expand.
Also, if there are any local Boolean states in semanage (i.e. setsebool -P), they'd have to be migrated to the new symbol name too.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 10+ messages in thread