From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <53C96305.60109@tycho.nsa.gov> Date: Fri, 18 Jul 2014 14:10:13 -0400 From: Stephen Smalley MIME-Version: 1.0 To: Steve Lawrence , Dominick Grift Subject: Re: [RFC] Source Policy, CIL, and High Level Languages References: <53BD9646.6030303@tresys.com> <1404975079.31209.11.camel@x220.localdomain> <53C944AC.4080605@tresys.com> In-Reply-To: <53C944AC.4080605@tresys.com> Content-Type: text/plain; charset=ISO-8859-1 Cc: SELinux List List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: On 07/18/2014 12:00 PM, Steve Lawrence wrote: > On 07/10/2014 02:51 AM, Dominick Grift wrote: >> On Wed, 2014-07-09 at 15:21 -0400, Steve Lawrence wrote: >>> In January, we sent an RFC [1] to update userspace to integrate CIL >>> [2] and source policy. And in April, we sent an updated RFC [3] which >>> added support for high level languages and a tool to convert policy >>> package (pp) files to CIL. After getting some good feedback, we have >>> made some more changes, mostly to maintain ABI compatibility. The >>> major changes made since the last patchset are: >> >> >> >> >> After associating user john with staff_u, johns home directory is >> properly labeled (staff_u associated with /home/john). However, what is >> strange here is that i cannot see staff_u home dir context specs >> in /var/lib/selinux/targeted/active/modules/file_contexts.homedirs >> >> Am i looking in the wrong place? How does SELinux know that staff_u >> needs to be associated with /home/john >> > > In the current upatream, file_contexts.homedirs is autogenerated and > created in /etc/selinux/targeted/modules/active/ before it is copied to > /etc/selinux/targeted/contexts/files. This file is not removed from the > store, so it actually exists in two places. > > However, with the new source policy work, file_contexts.homedirs is > generated in a temporary sandbox (not the policy store). The contents of > the sandbox are copied to /etc/selinux, and then deleted at the end of > the transaction. So the new source policy infrastructure no longer > stores intermediate/final build files in the policy store. > > However, the migration script copies all the files from the old store to > the new store, even including autogenerated files that the new source > policy infrastructure will never look at or touch. This is just a bug in > the migration script. We've updated the migration script to only migrate > the files that actually need to be migrated (mostly *.local files). This > has been rebased/pushed to github #integration branch. If I run semanage_migrate_etc_to_var.py -n on a clean (no /var/lib/selinux at all) system, the /var/lib/selinux/targeted/active directory contains a homedir_template and a netfilter_contexts file in addition to the modules (and commit_num). The first file is automatically extracted from all of the file contexts during build and the second is unused these days. If I then run semodule -B (or omit the -n option on migration), I further have file_contexts.template and users_extra files under active, both of which are also generated. I can delete all four files and regenerate all but netfilter_contexts via semodule -B.