refpolicy modules

refpolicy modules

[Vincenzo Ciaglia]

Hello, another question.

Is there any way to get SELinux refpolicy working without not useful
modules for my system without re-editing the most part of the policies
once i have done this ?

It's really and hard work to modify each policy with not-useful lines.

Excuse me for the dumby question but maybe there's a way that i still
don't know.

Thank you!

-- 
Vincenzo Ciaglia, <vin(at)netwosix(dot)org>
Linux Netwosix, <http://www.netwosix.org>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: refpolicy modules

[Stephen Smalley]

On Wed, 2007-02-28 at 10:26 +0100, Vincenzo Ciaglia wrote:
> Hello, another question.
> 
> Is there any way to get SELinux refpolicy working without not useful
> modules for my system without re-editing the most part of the policies
> once i have done this ?
> 
> It's really and hard work to modify each policy with not-useful lines.
> 
> Excuse me for the dumby question but maybe there's a way that i still
> don't know.

What are you asking?  You should be able to turn off modules that you
don't need and have the rest build, although there likely is a
fundamental core set of modules that are presumed to be present.  If you
have specific cases where you disabled a module and couldn't build the
rest of the policy, then report those.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: refpolicy modules

[Vincenzo Ciaglia]

On mer, 2007-02-28 at 08:05 -0500, Stephen Smalley wrote: 
> What are you asking?  You should be able to turn off modules that you
> don't need and have the rest build, although there likely is a
> fundamental core set of modules that are presumed to be present.  If you
> have specific cases where you disabled a module and couldn't build the
> rest of the policy, then report those.

Well maybe it's better to give you an example, here the modules that i
want to run on Netwosix for now: 
http://www.netwosix.org/selinux/modules.conf

Then when i try to "make install" i get some errors related to other
modules evidently needed by the modules in my .conf. Here the example:

##################################
/usr/bin/checkmodule:  loading policy configuration from tmp/apache.tmp
policy/modules/services/apache.te:239:ERROR 'syntax error' at token
'avahi_stream_connect' on line 14780:
                avahi_stream_connect(httpd_t)
#line 239
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [tmp/apache.mod] Error 1
##################################

Of course this happen because i'm not using the avahi module. To solve
this i just have to comment the line related to "avahi" in my
policy.conf. What i'm asking for is a way to don't edit and wast so many
time by editing each line of my policy.

For example if my apache.te depends to "avahi" and avahi is not present
in my strict-policy with its module, the policy should understand this
and skip this step by compiling the whole policy just using the modules
that are present.

I still don't know if it's possibile, so i'm asking here. 
Thank you for your time!

-- 
Vincenzo Ciaglia, <vin(at)netwosix(dot)org>
Linux Netwosix, <http://www.netwosix.org>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: refpolicy modules

[Christopher J. PeBenito]

On Wed, 2007-02-28 at 14:37 +0100, Vincenzo Ciaglia wrote:
> On mer, 2007-02-28 at 08:05 -0500, Stephen Smalley wrote: 
> > What are you asking?  You should be able to turn off modules that you
> > don't need and have the rest build, although there likely is a
> > fundamental core set of modules that are presumed to be present.  If you
> > have specific cases where you disabled a module and couldn't build the
> > rest of the policy, then report those.
> 
> Well maybe it's better to give you an example, here the modules that i
> want to run on Netwosix for now: 
> http://www.netwosix.org/selinux/modules.conf
> 
> Then when i try to "make install" i get some errors related to other
> modules evidently needed by the modules in my .conf. Here the example:
> 
> ##################################
> /usr/bin/checkmodule:  loading policy configuration from tmp/apache.tmp
> policy/modules/services/apache.te:239:ERROR 'syntax error' at token
> 'avahi_stream_connect' on line 14780:
>                 avahi_stream_connect(httpd_t)
> #line 239
> /usr/bin/checkmodule:  error(s) encountered while parsing configuration
> make: *** [tmp/apache.mod] Error 1
> ##################################
> 
> Of course this happen because i'm not using the avahi module. To solve
> this i just have to comment the line related to "avahi" in my
> policy.conf. What i'm asking for is a way to don't edit and wast so many
> time by editing each line of my policy.
> 
> For example if my apache.te depends to "avahi" and avahi is not present
> in my strict-policy with its module, the policy should understand this
> and skip this step by compiling the whole policy just using the modules
> that are present.

It looks like you deleted the avahi module source files rather than just
turning it off in modules.conf.  The source files are still required to
compile the modules that depend on avahi (optionally or otherwise).

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: refpolicy modules

[Vincenzo Ciaglia]

On mer, 2007-02-28 at 09:00 -0500, Christopher J. PeBenito wrote:

> It looks like you deleted the avahi module source files rather than just
> turning it off in modules.conf.  The source files are still required to
> compile the modules that depend on avahi (optionally or otherwise).

Oh, now i understand. 

Thank you, i'm going to try. 

-- 
Vincenzo Ciaglia, <vin(at)netwosix(dot)org>
Linux Netwosix, <http://www.netwosix.org>


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.