* sepolicy and setools4
@ 2016-08-19 15:35 Jason Zaman
2016-08-19 19:04 ` Stephen Smalley
2016-08-19 21:03 ` Petr Lautrbach
0 siblings, 2 replies; 3+ messages in thread
From: Jason Zaman @ 2016-08-19 15:35 UTC (permalink / raw)
To: selinux
Hi all,
I've been trying to finally get rid of the last users of setools3 since
its basically on life support. I have a lot of things fixed locally but
not quite in good enough shape to submit.
Sepolicy currently is the thing that uses setools3 and everything else
mostly goes via sepolicy. It boils down to sepolicy.info() and
sepolicy.search() which are C-wrappers to setools3. Those two methods
have a very open-ended and confusing API, and are just very thin
wrappers around setools. It seems to me that we'd be better off updating
most things that use it to instead use setools4 directly.
I have fixed .info() already (although still untested) so .search() is
the main problem. It takes dictionaries of stuff and returns
dictionaries of stuff and what exactly is in the dictionaries is not
that clear.
How many users outside of the tree are there for sepolicy directly? If
the only users are in the tree, I'd much rather kill off
sepolicy.search() and go directly to setools. Is that an option?
slawrence mentioned on IRC that setroubleshoot might use sepolicy but
wasnt entirely sure. Even if it does, does it use .search() and .info()?
or does it only use all the other methods from it?
-- Jason
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: sepolicy and setools4
2016-08-19 15:35 sepolicy and setools4 Jason Zaman
@ 2016-08-19 19:04 ` Stephen Smalley
2016-08-19 21:03 ` Petr Lautrbach
1 sibling, 0 replies; 3+ messages in thread
From: Stephen Smalley @ 2016-08-19 19:04 UTC (permalink / raw)
To: Jason Zaman, selinux
On 08/19/2016 11:35 AM, Jason Zaman wrote:
> Hi all,
>
> I've been trying to finally get rid of the last users of setools3 since
> its basically on life support. I have a lot of things fixed locally but
> not quite in good enough shape to submit.
>
> Sepolicy currently is the thing that uses setools3 and everything else
> mostly goes via sepolicy. It boils down to sepolicy.info() and
> sepolicy.search() which are C-wrappers to setools3. Those two methods
> have a very open-ended and confusing API, and are just very thin
> wrappers around setools. It seems to me that we'd be better off updating
> most things that use it to instead use setools4 directly.
>
> I have fixed .info() already (although still untested) so .search() is
> the main problem. It takes dictionaries of stuff and returns
> dictionaries of stuff and what exactly is in the dictionaries is not
> that clear.
>
> How many users outside of the tree are there for sepolicy directly? If
> the only users are in the tree, I'd much rather kill off
> sepolicy.search() and go directly to setools. Is that an option?
I'm all for doing that.
> slawrence mentioned on IRC that setroubleshoot might use sepolicy but
> wasnt entirely sure. Even if it does, does it use .search() and .info()?
> or does it only use all the other methods from it?
cc'd the folks who might know about setroubleshoot.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: sepolicy and setools4
2016-08-19 15:35 sepolicy and setools4 Jason Zaman
2016-08-19 19:04 ` Stephen Smalley
@ 2016-08-19 21:03 ` Petr Lautrbach
1 sibling, 0 replies; 3+ messages in thread
From: Petr Lautrbach @ 2016-08-19 21:03 UTC (permalink / raw)
To: Jason Zaman; +Cc: selinux
On Fri, Aug 19, 2016 at 11:35:28PM +0800, Jason Zaman wrote:
> Hi all,
>
> I've been trying to finally get rid of the last users of setools3 since
> its basically on life support. I have a lot of things fixed locally but
> not quite in good enough shape to submit.
>
> Sepolicy currently is the thing that uses setools3 and everything else
> mostly goes via sepolicy. It boils down to sepolicy.info() and
> sepolicy.search() which are C-wrappers to setools3. Those two methods
> have a very open-ended and confusing API, and are just very thin
> wrappers around setools. It seems to me that we'd be better off updating
> most things that use it to instead use setools4 directly.
>
> I have fixed .info() already (although still untested) so .search() is
> the main problem. It takes dictionaries of stuff and returns
> dictionaries of stuff and what exactly is in the dictionaries is not
> that clear.
>
> How many users outside of the tree are there for sepolicy directly? If
> the only users are in the tree, I'd much rather kill off
> sepolicy.search() and go directly to setools. Is that an option?
>
> slawrence mentioned on IRC that setroubleshoot might use sepolicy but
> wasnt entirely sure. Even if it does, does it use .search() and .info()?
> or does it only use all the other methods from it?
It uses search(), info() and few other methods as well.
However there are already two branches. One is considered as stable for
and uses python2. I'd expect that this branch will depend on
setools3 and SELinux userspace <= 2.5.
As for the second development branch, I'd say that it can be simply
ported to use setools4 directly instead of sepolicy.
Petr
> -- Jason
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
--
Petr Lautrbach
SELinux Solutions
Red Hat
Better technology. Faster innovation. Powered by community collaboration.
See how it works at redhat.com.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-08-19 21:03 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-08-19 15:35 sepolicy and setools4 Jason Zaman
2016-08-19 19:04 ` Stephen Smalley
2016-08-19 21:03 ` Petr Lautrbach
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.