Userspace Release 2014-08-26-rc2

All of lore.kernel.org
 help / color / mirror / Atom feed

* Userspace Release 2014-08-26-rc2 - semodule(8) query
@ 2014-09-11 12:35 Richard Haines
  2014-09-11 13:23 ` Steve Lawrence
  0 siblings, 1 reply; 2+ messages in thread
From: Richard Haines @ 2014-09-11 12:35 UTC (permalink / raw)
  To: SteveLawrence; +Cc: selinux list

Steve,

Could you explain/clarify the semodule --priority option please. I've been adding
modules at different priorities and they are still added to the final binary policy
in /etc/selinux/<policy_name>/poilcy so trying to figure out what they could be
used for.

Thanks
Richard

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Userspace Release 2014-08-26-rc2 - semodule(8) query
  2014-09-11 12:35 Userspace Release 2014-08-26-rc2 - semodule(8) query Richard Haines
@ 2014-09-11 13:23 ` Steve Lawrence
  0 siblings, 0 replies; 2+ messages in thread
From: Steve Lawrence @ 2014-09-11 13:23 UTC (permalink / raw)
  To: Richard Haines; +Cc: selinux list

Priorities allows multiple modules with the same name to exist in the
policy store, with the higher priority module included in the final
kernel binary, and all lower priority modules of the same name ignored.
So this allows things like:

  # semodule --priority 100 --install distribution/apache.pp
  # semodule --priority 400 --install custom/apache.pp

Both apache modules are installed to the policy store listed as
'apache', but only the custom apache module is included in the final
kernel binary. The distribution apache module is completely ignored.

The main use case for this is the ability to override a distribution
provided policy, while keeping the distribution policy in the store.
This makes it very easy for distributions, 3rd parties, configuration
management tools (e.g. puppet), local administrators, etc. to update
policies without wiping away each others changes. This also means that
even if a distrubtion/3rd party/etc updates a module, if you have one
installed at a higher priority, it will still override the new
distribution policy.

This does require that various policy managers adopt some kind of scheme
for who uses what priority. No strict guidelines for this currently
exist, but we have assumed some numbers. For example, we assume
distributions would use priority 100, and so the semanage_migrate_store
script migrates all modules using that as the default. We also assume
that local policies will be installed at 400, so semodule uses that as a
default priority.

Hopefully that clears things up a bit.

- Steve

On 09/11/2014 08:35 AM, Richard Haines wrote:
> Steve,
> 
> Could you explain/clarify the semodule --priority option please. I've been adding
> modules at different priorities and they are still added to the final binary policy
> in /etc/selinux/<policy_name>/poilcy so trying to figure out what they could be
> used for.
> 
> Thanks
> Richard
> 

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2014-09-11 13:23 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-09-11 12:35 Userspace Release 2014-08-26-rc2 - semodule(8) query Richard Haines
2014-09-11 13:23 ` Steve Lawrence

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.