From: Steve Lawrence <slawrence@tresys.com>
To: Dominick Grift <dominick.grift@gmail.com>
Cc: SELinux List <selinux@tycho.nsa.gov>
Subject: Re: [RFC] CIL and Source Policy Integration
Date: Thu, 9 Jan 2014 11:22:04 -0500 [thread overview]
Message-ID: <52CECCAC.5070805@tresys.com> (raw)
In-Reply-To: <1389283773.15747.18.camel@x220.localdomain>
On 01/09/2014 11:09 AM, Dominick Grift wrote:
> On Thu, 2014-01-09 at 10:27 -0500, Steve Lawrence wrote:
>
>> Considering this patchset really only changes where modules are
>> installed and the format of those modules, I suspect you're right that
>> copying the targeted configuration is causing some issues. Plus the fact
>> that the policy is based on old refpolicy and not fedora policy, I
>> expected policy related issues. However, the main goal of this RFC was
>> to determine if the CIL and Source policy integration is headed down the
>> right path, and determine if there are any high level design flaws or
>> any issues that need to be worked out for upstream integration to occur.
>> If the only remaining issue is getting a system working in enforcing, I
>> think we're okay with that.
>>
>> We'll continue to look into the issues you described and see if we can
>> come up with fixes, but I suspect they are more policy/configuration
>> related, and not problems with the patchset.
>>
>> Thanks!
>> - Steve
>
> Alright, i understand. I do suspect this is more than just a simple
> policy issue but i can't narrow it down at the moment. Login mappings
> are missing one way or another, and that seems to break other things
> like home dir context generation. Since semodule -B initiates all this i
> would argue that semodule -B functionality for at least some part is
> broken on way or another.
>
> I did do other tests and they seems to all pass.
>
> For example disabling and enabling modules:
>
> so for example:
>
> semodule -d irc (disabled it: confirmed with sesearch)
> cd cilpolicy xargs -a LISTING semodule -i
> (tells me that it will disable irc module after install because its set
> disabled: confirmed with sesearch)
> semodule -e irc (enables it again: confirmed with sesearch)
>
>
Yes, looking into some more, I think you're right. There's a bug
somewhere. Still looking into it.
Thanks,
- Steve
next prev parent reply other threads:[~2014-01-09 16:22 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-08 20:44 [RFC] CIL and Source Policy Integration Steve Lawrence
2014-01-09 13:35 ` Dominick Grift
2014-01-09 14:51 ` Dominick Grift
2014-01-09 15:27 ` Steve Lawrence
2014-01-09 16:09 ` Dominick Grift
2014-01-09 16:22 ` Steve Lawrence [this message]
2014-01-09 16:32 ` Dominick Grift
2014-01-09 16:15 ` Stephen Smalley
2014-01-09 16:56 ` Steve Lawrence
2014-01-09 18:34 ` James Carter
2014-01-09 19:29 ` Steve Lawrence
2014-01-09 20:47 ` Daniel J Walsh
2014-01-09 21:06 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52CECCAC.5070805@tresys.com \
--to=slawrence@tresys.com \
--cc=dominick.grift@gmail.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.