Semodule syntax is broken.

Semodule syntax is broken.

[Daniel J Walsh]

Currently when rpm ships, it does an 

semodule -b base.pp -i a.pp b,pp c.pp

It should be able to do 

semodule -b base.pp -u a.pp b.pp c.pp

But -u blows up if c.pp was not previously installed.  It should follow the rpm -U syntax; upgrade if the previous package exists and install if it does not.  If we want to add a -F (freshen) this could only upgrade pre-existing modules, and ignore others.

If I was to change to -u, I would need to add a fourth field to policy modules and upgrade it each time I added a patch.  It would be a pain, but I guess I could deal with it.

BUT  A bigger problem is how to deal with an administrator that wants to remove a package and ensure it does not get reinstalled.  If an administrator decides he does not want to install unconfined.pp, we do not want an selinux-policy upgrade to re-install the package.

semodule -r should set a flag when a package gets removed.  Then semodule -u or semodule -i would not install the package unless the  administrator specifies a -f.

semodule -r unconfined

Would create a file in the policy store /etc/selinux/targeted/modules/active/modules/unconfined.exclude.  

semodule -u and semodule -i would respect, and just print out an error message.

semodule -u unconfined.pp
Warning: unconfined.pp is excluded from the policy store, use -f to force the install

Add -q qualifier to quiet this message

# semodule -f -u unconfined.pp
Would install the package and remove the flag.


I would like to get consensus on this before I implement.  Or others can implement.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Semodule syntax is broken.

[Manoj Srivastava]

On Fri, Aug 21 2009, Daniel J Walsh wrote:

> Currently when rpm ships, it does an 
> semodule -b base.pp -i a.pp b,pp c.pp
> It should be able to do 
> semodule -b base.pp -u a.pp b.pp c.pp
>
> But -u blows up if c.pp was not previously installed.  It should
> follow the rpm -U syntax; upgrade if the previous package exists and
> install if it does not.  If we want to add a -F (freshen) this could
> only upgrade pre-existing modules, and ignore others. 

> If I was to change to -u, I would need to add a fourth field to policy
> modules and upgrade it each time I added a patch.  It would be a pain,
> but I guess I could deal with it. 


> BUT  A bigger problem is how to deal with an administrator that wants
> to remove a package and ensure it does not get reinstalled.  If an
> administrator decides he does not want to install unconfined.pp, we do
> not want an selinux-policy upgrade to re-install the package. 

        Could you not look at the .pp files already installed, and only
 add to that list policy  that corresponds to packages currently bing
 installed in this run of rpm? (Debian has a postinstall script that
 tries to ma between packages on the system and the corresponding .pp
 files to be installed). This leaves the heuristics in the packaging
 scripts, and not in semodule. 

>
> semodule -r should set a flag when a package gets removed.  Then
> semodule -u or semodule -i would not install the package unless the
> administrator specifies a -f.

> semodule -r unconfined
> Would create a file in the policy store
> /etc/selinux/targeted/modules/active/modules/unconfined.exclude.   

> semodule -u and semodule -i would respect, and just print out an error
> message. 
> semodule -u unconfined.pp
> Warning: unconfined.pp is excluded from the policy store, use -f to
> force the install 

        Are you talking about explicit administrator action? In that
 case it makes sense. 

        But I would also like to unload policy modules if a package gets
 removed: So installing, say, apache should also load the selinux policy
 for apache; and removing the apache package should remove that.

        But then if I reinstall apache I do not want apache policy from
 being blocked.

        So how about asking for semodule -F -r foo 
 (-F meaning to block the foo.pp from the policy store in the future).
 This allows the admin to block the policy from the store, but allows
 normal package removal/reinstall to work nominally.

> I would like to get consensus on this before I implement.  Or others
> can implement. 

        I would like to see a solution that distinguishes between the
 two use cases, and adds the force option on removal before blocking
 occurs.

        manoj
-- 
Manoj Srivastava <srivasta@acm.org> <http://www.golden-gryphon.com/>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Semodule syntax is broken.

[Daniel J Walsh]

On 08/21/2009 12:27 PM, Manoj Srivastava wrote:
> On Fri, Aug 21 2009, Daniel J Walsh wrote:
> 
>> Currently when rpm ships, it does an 
>> semodule -b base.pp -i a.pp b,pp c.pp
>> It should be able to do 
>> semodule -b base.pp -u a.pp b.pp c.pp
>>
>> But -u blows up if c.pp was not previously installed.  It should
>> follow the rpm -U syntax; upgrade if the previous package exists and
>> install if it does not.  If we want to add a -F (freshen) this could
>> only upgrade pre-existing modules, and ignore others. 
> 
>> If I was to change to -u, I would need to add a fourth field to policy
>> modules and upgrade it each time I added a patch.  It would be a pain,
>> but I guess I could deal with it. 
> 
> 
>> BUT  A bigger problem is how to deal with an administrator that wants
>> to remove a package and ensure it does not get reinstalled.  If an
>> administrator decides he does not want to install unconfined.pp, we do
>> not want an selinux-policy upgrade to re-install the package. 
> 
>         Could you not look at the .pp files already installed, and only
>  add to that list policy  that corresponds to packages currently bing
>  installed in this run of rpm? (Debian has a postinstall script that
>  tries to ma between packages on the system and the corresponding .pp
>  files to be installed). This leaves the heuristics in the packaging
>  scripts, and not in semodule. 
> 
Well that is going to make the packages very complex, also breaks on things like
--force or --oldpackage 

Where if we did a real good job of knowing which package added a pp file.

But I would think the admin would want to prevent any other package from installing the package.

He removed it for a reason.  
>>
>> semodule -r should set a flag when a package gets removed.  Then
>> semodule -u or semodule -i would not install the package unless the
>> administrator specifies a -f.
> 
>> semodule -r unconfined
>> Would create a file in the policy store
>> /etc/selinux/targeted/modules/active/modules/unconfined.exclude.   
> 
>> semodule -u and semodule -i would respect, and just print out an error
>> message. 
>> semodule -u unconfined.pp
>> Warning: unconfined.pp is excluded from the policy store, use -f to
>> force the install 
> 
>         Are you talking about explicit administrator action? In that
>  case it makes sense. 
> 
>         But I would also like to unload policy modules if a package gets
>  removed: So installing, say, apache should also load the selinux policy
>  for apache; and removing the apache package should remove that.
> 
>         But then if I reinstall apache I do not want apache policy from
>  being blocked.
> 
>         So how about asking for semodule -F -r foo 
>  (-F meaning to block the foo.pp from the policy store in the future).
>  This allows the admin to block the policy from the store, but allows
>  normal package removal/reinstall to work nominally.
> 
>> I would like to get consensus on this before I implement.  Or others
>> can implement. 
> 
>         I would like to see a solution that distinguishes between the
>  two use cases, and adds the force option on removal before blocking
>  occurs.
> 
>         manoj

Excellent point, I had not thought of that.  

So proposal

semodule -r : No Change in default behaviour
	 -F : Permanantly removes policy package, leaving POLICY.exclude flag in module store

semodule -u : Install if package not installed, upgrade otherwise)
semodule -f : Only upgrade modules that are currently installed)
semodule -i : No change.
	All will get a warning message if a module they are trying to install has a POLICY.exclude flag
         -q : Shut up Warning messages
         -F : Remove POLICY.exclude flag and install the package

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Semodule syntax is broken.

[Manoj Srivastava]

On Fri, Aug 21 2009, Daniel J Walsh wrote:


> So proposal
>
> semodule -r : No Change in default behaviour
>	 -F : Permanantly removes policy package, leaving POLICY.exclude
>	      flag in module store 
>
> semodule -u : Install if package not installed, upgrade otherwise)
> semodule -f : Only upgrade modules that are currently installed)
> semodule -i : No change.
>	All will get a warning message if a module they are trying to
>	install has a POLICY.exclude flag 
>          -q : Shut up Warning messages
>          -F : Remove POLICY.exclude flag and install the package

        Sounds good to me.

        manoj
-- 
Manoj Srivastava <srivasta@acm.org> <http://www.golden-gryphon.com/>  
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Semodule syntax is broken.

[Daniel J Walsh]

On 08/21/2009 11:27 PM, Manoj Srivastava wrote:
> On Fri, Aug 21 2009, Daniel J Walsh wrote:
> 
> 
>> So proposal
>>
>> semodule -r : No Change in default behaviour
>> 	 -F : Permanantly removes policy package, leaving POLICY.exclude
>> 	      flag in module store 
>>
>> semodule -u : Install if package not installed, upgrade otherwise)
>> semodule -f : Only upgrade modules that are currently installed)
>> semodule -i : No change.
>> 	All will get a warning message if a module they are trying to
>> 	install has a POLICY.exclude flag 
>>          -q : Shut up Warning messages
>>          -F : Remove POLICY.exclude flag and install the package
> 
>         Sounds good to me.
> 
>         manoj
After talking to Chris P, on IRC, I have rethought these changes.   He mentioned that they are looking into "disabling" modules.  So I think we should follow that line of thinking.

semodule -r (--remove) : No Change in default behaviour
semodule -u (--upgrade): Install if package not installed, upgrade otherwise)
semodule -f (--freshen): Only upgrade modules that are currently installed)
semodule -i (--install): No change.
semodule -q (--quier): Shut up Warning messages
semodule -d (--disable) : Disable policy module, Store policy module as POLICY.pp.disabled in /etc/selinux/TYPE/modules/active/modules
semodule -e (--enable) : Rename POLICY.pp.disabled to POLICY.pp and rebuild

libsemanage would then not build policy modules that were disabled.  It would look for POLICY.pp.disabled when installing or upgrading modules and maintain the name.  --remove would remove both disabled, and enabled modules.  List would now list the disabled modules with a flag indicating they are disabled. 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Semodule syntax is broken.

[Chad Sellers]

On 8/24/09 9:04 AM, "Daniel J Walsh" <dwalsh@redhat.com> wrote:

> On 08/21/2009 11:27 PM, Manoj Srivastava wrote:
>> On Fri, Aug 21 2009, Daniel J Walsh wrote:
>> 
>> 
>>> So proposal
>>> 
>>> semodule -r : No Change in default behaviour
>>> -F : Permanantly removes policy package, leaving POLICY.exclude
>>>      flag in module store
>>> 
>>> semodule -u : Install if package not installed, upgrade otherwise)
>>> semodule -f : Only upgrade modules that are currently installed)
>>> semodule -i : No change.
>>> All will get a warning message if a module they are trying to
>>> install has a POLICY.exclude flag
>>>          -q : Shut up Warning messages
>>>          -F : Remove POLICY.exclude flag and install the package
>> 
>>         Sounds good to me.
>> 
>>         manoj
> After talking to Chris P, on IRC, I have rethought these changes.   He
> mentioned that they are looking into "disabling" modules.  So I think we
> should follow that line of thinking.
> 
> semodule -r (--remove) : No Change in default behaviour
> semodule -u (--upgrade): Install if package not installed, upgrade otherwise)
> semodule -f (--freshen): Only upgrade modules that are currently installed)
> semodule -i (--install): No change.
> semodule -q (--quier): Shut up Warning messages
> semodule -d (--disable) : Disable policy module, Store policy module as
> POLICY.pp.disabled in /etc/selinux/TYPE/modules/active/modules
> semodule -e (--enable) : Rename POLICY.pp.disabled to POLICY.pp and rebuild
> 
> libsemanage would then not build policy modules that were disabled.  It would
> look for POLICY.pp.disabled when installing or upgrading modules and maintain
> the name.  --remove would remove both disabled, and enabled modules.  List
> would now list the disabled modules with a flag indicating they are disabled.
> 
I like this idea very much, as -u has always bothered me. So, this looks
good to me, though it's a bit odd to add features to semodule while at the
same time working to deprecate it in favor of everything going through
semanage.

Thanks,
Chad


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.