From: Stephen Smalley <sds@tycho.nsa.gov>
To: Sven Vermeulen <sven.vermeulen@siphos.be>,
SELinux <selinux@tycho.nsa.gov>
Subject: Re: [PATCH v2 0/3] Add support for extracting modules
Date: Fri, 7 Aug 2015 09:28:12 -0400 [thread overview]
Message-ID: <55C4B26C.90508@tycho.nsa.gov> (raw)
In-Reply-To: <CAPzO=NxAAr3QGYkxQ_rkyhRUQPGc6Gs0CKP5auTu6H-HLHaORA@mail.gmail.com>
On 08/07/2015 04:09 AM, Sven Vermeulen wrote:
> Will you provide a patch to the reference policy to allow semanage_t
> to write into all kinds of directories?
>
> I personally see little value in this patch, as everything is readily
> accessible on the file system. Users who want to extract policies with
> semodule will now encounter policy issues where semanage_t is not
> allowed to write into the current working directory (depending where
> the user is at):
Directly accessing files under /var/lib/selinux is not very
user-friendly or maintainable, as how the files are arranged and stored
is an implementation detail of libsemanage.
The change allows users a new workflow in which they can readily extract
a module (whether locally created or distro-provided), modify it, and
then re-install it (and automatically have their modified version
installed at higher priority, and thereby not clobber the
distro-provided one or be clobbered by subsequent policy updates.
semanage is already given userdom_read_user_home_content_files() and
userdom_read_user_tmp_files() in order to support semodule -i from
either of those locations, so broadening that to userdom_manage doesn't
seem too onerous.
Also, the situation doesn't seem terribly different from the already
existing semanage export facility, which takes a -f output_file option.
>
> allow semanage_t tmp_t : dir { ioctl read write getattr lock
> add_name remove_name search open } ;
> allow semanage_t selinux_config_t : dir { ioctl read write getattr
> lock add_name remove_name search open } ;
> allow semanage_t default_context_t : dir { ioctl read write getattr
> lock add_name remove_name search open } ;
> allow semanage_t file_context_t : dir { ioctl read write getattr
> lock add_name remove_name search open } ;
> allow semanage_t semanage_store_t : dir { ioctl read write create
> getattr setattr lock unlink link rename add_name remove_name reparent
> search rmdir open } ;
> allow semanage_t semanage_tmp_t : dir { ioctl read write create
> getattr setattr lock unlink link rename add_name remove_name reparent
> search rmdir open } ;
> allow semanage_t policy_config_t : dir { ioctl read write getattr
> lock add_name remove_name search open } ;
>
> Wkr,
> Sven Vermeulen
>
> On Thu, Aug 6, 2015 at 4:30 PM, Yuli Khodorkovskiy
> <ykhodorkovskiy@tresys.com> wrote:
>> This patchset adds support for extracting modules from the module store as hll
>> or cil to the current working directory. This also adds a function to the
>> libsemanage API to extract modules and fixes a memory leak discovered while
>> implementing this functionality.
>>
>> Changes from v1:
>> - Add fallback behavior if a module does not exist at the default priority when
>> extracting with semodule.
>>
>> Yuli Khodorkovskiy (3):
>> libsemanage: Add ability to extract modules
>> libsemanage: Fix null pointer dereference in
>> semanage_module_key_destroy
>> policycoreutils/semodule: update semodule to allow extracting modules
>>
>> libsemanage/include/semanage/modules.h | 17 ++
>> libsemanage/src/direct_api.c | 310 ++++++++++++++++++++++-----------
>> libsemanage/src/libsemanage.map | 1 +
>> libsemanage/src/modules.c | 23 ++-
>> libsemanage/src/policy.h | 8 +
>> libsemanage/src/semanageswig_python.i | 5 +
>> policycoreutils/semodule/semodule.8 | 14 ++
>> policycoreutils/semodule/semodule.c | 146 +++++++++++++++-
>> 8 files changed, 416 insertions(+), 108 deletions(-)
>>
>> --
>> 1.9.3
>>
>> _______________________________________________
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>
next prev parent reply other threads:[~2015-08-07 13:28 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-06 14:30 [PATCH v2 0/3] Add support for extracting modules Yuli Khodorkovskiy
2015-08-06 14:30 ` [PATCH v2 1/3] libsemanage: Add ability to extract modules Yuli Khodorkovskiy
2015-08-06 14:30 ` [PATCH v2 2/3] libsemanage: Fix null pointer dereference in semanage_module_key_destroy Yuli Khodorkovskiy
2015-08-06 14:30 ` [PATCH v2 3/3] policycoreutils/semodule: update semodule to allow extracting modules Yuli Khodorkovskiy
2015-08-06 15:04 ` [PATCH v2 0/3] Add support for " James Carter
2015-08-07 8:09 ` Sven Vermeulen
2015-08-07 13:28 ` Stephen Smalley [this message]
2015-08-07 13:37 ` Joshua Brindle
2015-08-07 14:14 ` Dominick Grift
2015-08-07 15:39 ` Christopher J. PeBenito
2015-08-07 13:47 ` James Carter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55C4B26C.90508@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=sven.vermeulen@siphos.be \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.