* policycoreutils, sepolgen (sepolgen-ifgen) issues on Debian
@ 2009-08-14 14:59 Manoj Srivastava
2009-08-14 16:50 ` Manoj Srivastava
0 siblings, 1 reply; 18+ messages in thread
From: Manoj Srivastava @ 2009-08-14 14:59 UTC (permalink / raw)
To: selinux
Hi,
I am running into an issue with sepolgen on Debian. Debian ships
more than one version of the refpolicy, a default one, and a
MLS enabled one. So, the include files live in either
/usr/share/selinux/{default,mls}/include
sepolgen (in src/sepolgen/defaults.py) sets refpolicy_devel() to
a single location -- and thus, only one version of the security policy
may be supported. So, sepolgen-ifgen from policycoreutils can only work
with one policy, which may not be the one installed on the target
machine. Could this be made configurable, somehow? As far as I can
see, sepolgen's python library does not offer any way to set the value.
It would be nice if the location of the include directory could
be looked for from a PATH like variable setting, to make it easier for
distributions to ship more than one policy, or for end users to
experiment with other policies without have to overwrite the single
default.
manoj
--
Manoj Srivastava <srivasta@acm.org> <http://www.golden-gryphon.com/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: policycoreutils, sepolgen (sepolgen-ifgen) issues on Debian
2009-08-14 14:59 policycoreutils, sepolgen (sepolgen-ifgen) issues on Debian Manoj Srivastava
@ 2009-08-14 16:50 ` Manoj Srivastava
2009-08-16 14:52 ` Manoj Srivastava
` (2 more replies)
0 siblings, 3 replies; 18+ messages in thread
From: Manoj Srivastava @ 2009-08-14 16:50 UTC (permalink / raw)
To: selinux
Hi,
On Fri, Aug 14 2009, Manoj Srivastava wrote:
> I am running into an issue with sepolgen on Debian. Debian ships
> more than one version of the refpolicy, a default one, and a
> MLS enabled one. So, the include files live in either
> /usr/share/selinux/{default,mls}/include
>
> sepolgen (in src/sepolgen/defaults.py) sets refpolicy_devel() to
> a single location -- and thus, only one version of the security policy
> may be supported. So, sepolgen-ifgen from policycoreutils can only work
> with one policy, which may not be the one installed on the target
> machine. Could this be made configurable, somehow? As far as I can
> see, sepolgen's python library does not offer any way to set the value.
>
> It would be nice if the location of the include directory could
> be looked for from a PATH like variable setting, to make it easier for
> distributions to ship more than one policy, or for end users to
> experiment with other policies without have to overwrite the single
> default.
Well, here is a kind of proof-of-concept patch (python is not my
strong suit), and I have only tested in that it allows the package to
compile, and the following code works:
--8<---------------cut here---------------start------------->8---
import defaults
# The following looks for /etc/selinux/sepolgen.conf that
# does not exist
print defaults.refpolicy_makefile()
print defaults.headers()
# Create a configuration file
testfd = open("/tmp/pathchooser.conf", "w")
print >>testfd, "# This is a comment"
print >>testfd, " # An empty line will follow"
print >>testfd, ""
print >>testfd, "SELINUX_DEVEL_PATH = /:/etc:/usr/share/selinux/default:/usr/share/selinux/mls:/usr/share/selinux/devel"
print >>testfd, "FOO= bar:baz"
testfd.close()
# Specify a non default config file, that has /etc in it
chooser = defaults.PathChoooser("/tmp/pathchooser.conf")
print chooser("passwd")
--8<---------------cut here---------------end--------------->8---
manoj
Signed-off-by: Enrico Zini <enrico@debian.org>
Signed-off-by: Manoj Srivastava <srivasta@debian.org>
---
src/sepolgen/defaults.py | 47 +++++++++++++++++++++++++++++++++++++++------
1 files changed, 40 insertions(+), 7 deletions(-)
diff --git a/src/sepolgen/defaults.py b/src/sepolgen/defaults.py
index 45ce61a..906c058 100644
--- a/src/sepolgen/defaults.py
+++ b/src/sepolgen/defaults.py
@@ -1,6 +1,6 @@
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
#
-# Copyright (C) 2006 Red Hat
+# Copyright (C) 2006 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or
@@ -17,6 +17,40 @@
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
+import os
+import re
+
+# Select the correct location for the development files based on a
+# path variable (optionally read from a configuration file)
+class PathChoooser(object):
+ def __init__(self, pathname):
+ self.config = dict()
+ if not os.path.exists(pathname):
+ self.config_pathname = "(defaults)"
+ self.config["SELINUX_DEVEL_PATH"] = "/usr/share/selinux/default:/usr/share/selinux/mls:/usr/share/selinux/devel"
+ return
+ self.config_pathname = pathname
+ ignore = re.compile(r"^\s*(?:#.+)?$")
+ consider = re.compile(r"^\s*(\w+)\s*=\s*(.+?)\s*$")
+ for lineno, line in enumerate(open(pathname)):
+ if ignore.match(line): continue
+ mo = consider.match(line)
+ if not mo:
+ raise ValueError, "%s:%d: line is not in key = value format" % (pathname, lineno+1)
+ self.config[mo.group(1)] = mo.group(2)
+
+ # We're only exporting one useful function, so why not be a function
+ def __call__(self, testfilename, pathset="SELINUX_DEVEL_PATH"):
+ paths = self.config.get(pathset, None)
+ if paths is None:
+ raise ValueError, "%s was not in %s" % (pathset, self.config_pathname)
+ paths = paths.split(":")
+ for p in paths:
+ target = os.path.join(p, testfilename)
+ if os.path.exists(target): return target
+ return os.path.join(paths[0], testfilename)
+
+
"""
Various default settings, including file and directory locations.
"""
@@ -30,12 +64,11 @@ def perm_map():
def interface_info():
return data_dir() + "/interface_info"
-def refpolicy_devel():
- return "/usr/share/selinux/devel"
-
def refpolicy_makefile():
- return refpolicy_devel() + "/Makefile"
+ chooser = PathChoooser("/etc/selinux/sepolgen.conf")
+ return chooser("Makefile")
def headers():
- return refpolicy_devel() + "/include"
-
+ chooser = PathChoooser("/etc/selinux/sepolgen.conf")
+ return chooser("include")
+
--
1.6.3.3
--
Manoj Srivastava <srivasta@acm.org> <http://www.golden-gryphon.com/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply related [flat|nested] 18+ messages in thread
* Re: policycoreutils, sepolgen (sepolgen-ifgen) issues on Debian
2009-08-14 16:50 ` Manoj Srivastava
@ 2009-08-16 14:52 ` Manoj Srivastava
2009-08-17 12:36 ` Christopher J. PeBenito
2009-08-17 15:40 ` Manoj Srivastava
2 siblings, 0 replies; 18+ messages in thread
From: Manoj Srivastava @ 2009-08-16 14:52 UTC (permalink / raw)
To: selinux
On Fri, Aug 14 2009, Manoj Srivastava wrote:
> Hi,
>
> On Fri, Aug 14 2009, Manoj Srivastava wrote:
>
>> I am running into an issue with sepolgen on Debian. Debian ships
>> more than one version of the refpolicy, a default one, and a
>> MLS enabled one. So, the include files live in either
>> /usr/share/selinux/{default,mls}/include
>>
>> sepolgen (in src/sepolgen/defaults.py) sets refpolicy_devel() to
>> a single location -- and thus, only one version of the security policy
>> may be supported. So, sepolgen-ifgen from policycoreutils can only work
>> with one policy, which may not be the one installed on the target
>> machine. Could this be made configurable, somehow? As far as I can
>> see, sepolgen's python library does not offer any way to set the value.
>>
>> It would be nice if the location of the include directory could
>> be looked for from a PATH like variable setting, to make it easier for
>> distributions to ship more than one policy, or for end users to
>> experiment with other policies without have to overwrite the single
>> default.
>
> Well, here is a kind of proof-of-concept patch (python is not my
> strong suit), and I have only tested in that it allows the package to
> compile, and the following code works:
> compile, and the following code works:
> --8<---------------cut here---------------start------------->8---
> import defaults
>
> # The following looks for /etc/selinux/sepolgen.conf that
> # does not exist
> print defaults.refpolicy_makefile()
> print defaults.headers()
>
> # Create a configuration file
> testfd = open("/tmp/pathchooser.conf", "w")
> print >>testfd, "# This is a comment"
> print >>testfd, " # An empty line will follow"
> print >>testfd, ""
> print >>testfd, "SELINUX_DEVEL_PATH = /:/etc:/usr/share/selinux/default:/usr/share/selinux/mls:/usr/share/selinux/devel"
> print >>testfd, "FOO= bar:baz"
> testfd.close()
>
> # Specify a non default config file, that has /etc in it
> chooser = defaults.PathChoooser("/tmp/pathchooser.conf")
> print chooser("passwd")
> --8<---------------cut here---------------end--------------->8---
>
> manoj
>
> Signed-off-by: Enrico Zini <enrico@debian.org>
> Signed-off-by: Manoj Srivastava <srivasta@debian.org>
> ---
> src/sepolgen/defaults.py | 47 +++++++++++++++++++++++++++++++++++++++------
> 1 files changed, 40 insertions(+), 7 deletions(-)
>
> diff --git a/src/sepolgen/defaults.py b/src/sepolgen/defaults.py
> index 45ce61a..906c058 100644
> --- a/src/sepolgen/defaults.py
> +++ b/src/sepolgen/defaults.py
> @@ -1,6 +1,6 @@
> # Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
> #
> -# Copyright (C) 2006 Red Hat
> +# Copyright (C) 2006 Red Hat
> # see file 'COPYING' for use and warranty information
> #
> # This program is free software; you can redistribute it and/or
> @@ -17,6 +17,40 @@
> # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
> #
>
> +import os
> +import re
> +
> +# Select the correct location for the development files based on a
> +# path variable (optionally read from a configuration file)
> +class PathChoooser(object):
> + def __init__(self, pathname):
> + self.config = dict()
> + if not os.path.exists(pathname):
> + self.config_pathname = "(defaults)"
> + self.config["SELINUX_DEVEL_PATH"] = "/usr/share/selinux/default:/usr/share/selinux/mls:/usr/share/selinux/devel"
> + return
> + self.config_pathname = pathname
> + ignore = re.compile(r"^\s*(?:#.+)?$")
> + consider = re.compile(r"^\s*(\w+)\s*=\s*(.+?)\s*$")
> + for lineno, line in enumerate(open(pathname)):
> + if ignore.match(line): continue
> + mo = consider.match(line)
> + if not mo:
> + raise ValueError, "%s:%d: line is not in key = value format" % (pathname, lineno+1)
> + self.config[mo.group(1)] = mo.group(2)
> +
> + # We're only exporting one useful function, so why not be a function
> + def __call__(self, testfilename, pathset="SELINUX_DEVEL_PATH"):
> + paths = self.config.get(pathset, None)
> + if paths is None:
> + raise ValueError, "%s was not in %s" % (pathset, self.config_pathname)
> + paths = paths.split(":")
> + for p in paths:
> + target = os.path.join(p, testfilename)
> + if os.path.exists(target): return target
> + return os.path.join(paths[0], testfilename)
> +
> +
> """
> Various default settings, including file and directory locations.
> """
> @@ -30,12 +64,11 @@ def perm_map():
> def interface_info():
> return data_dir() + "/interface_info"
>
> -def refpolicy_devel():
> - return "/usr/share/selinux/devel"
> -
> def refpolicy_makefile():
> - return refpolicy_devel() + "/Makefile"
> + chooser = PathChoooser("/etc/selinux/sepolgen.conf")
> + return chooser("Makefile")
>
> def headers():
> - return refpolicy_devel() + "/include"
> -
> + chooser = PathChoooser("/etc/selinux/sepolgen.conf")
> + return chooser("include")
> +
> --
> 1.6.3.3
To follow up, this has not been tested, and with this sepolgen-ifgen
from policycoreutils does work. Unless there are objections (or flaws
that people point out), I am planning on applying this patch on the
next Debian upload.
manoj
--
Manoj Srivastava <srivasta@acm.org> <http://www.golden-gryphon.com/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: policycoreutils, sepolgen (sepolgen-ifgen) issues on Debian
2009-08-14 16:50 ` Manoj Srivastava
2009-08-16 14:52 ` Manoj Srivastava
@ 2009-08-17 12:36 ` Christopher J. PeBenito
2009-08-17 15:40 ` Manoj Srivastava
2 siblings, 0 replies; 18+ messages in thread
From: Christopher J. PeBenito @ 2009-08-17 12:36 UTC (permalink / raw)
To: Manoj Srivastava; +Cc: selinux
On Fri, 2009-08-14 at 11:50 -0500, Manoj Srivastava wrote:
> On Fri, Aug 14 2009, Manoj Srivastava wrote:
>
> > I am running into an issue with sepolgen on Debian. Debian ships
> > more than one version of the refpolicy, a default one, and a
> > MLS enabled one. So, the include files live in either
> > /usr/share/selinux/{default,mls}/include
> >
> > sepolgen (in src/sepolgen/defaults.py) sets refpolicy_devel() to
> > a single location -- and thus, only one version of the security policy
> > may be supported. So, sepolgen-ifgen from policycoreutils can only work
> > with one policy, which may not be the one installed on the target
> > machine. Could this be made configurable, somehow? As far as I can
> > see, sepolgen's python library does not offer any way to set the value.
> >
> > It would be nice if the location of the include directory could
> > be looked for from a PATH like variable setting, to make it easier for
> > distributions to ship more than one policy, or for end users to
> > experiment with other policies without have to overwrite the single
> > default.
>
> Well, here is a kind of proof-of-concept patch (python is not my
> strong suit), and I have only tested in that it allows the package to
> compile, and the following code works:
[...]
> def refpolicy_makefile():
> - return refpolicy_devel() + "/Makefile"
> + chooser = PathChoooser("/etc/selinux/sepolgen.conf")
> + return chooser("Makefile")
>
> def headers():
> - return refpolicy_devel() + "/include"
> -
> + chooser = PathChoooser("/etc/selinux/sepolgen.conf")
> + return chooser("include")
> +
Why are you making another config file rather than just get the policy
name from /etc/selinux/config via selinux_getpolicytype()?
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: policycoreutils, sepolgen (sepolgen-ifgen) issues on Debian
2009-08-14 16:50 ` Manoj Srivastava
2009-08-16 14:52 ` Manoj Srivastava
2009-08-17 12:36 ` Christopher J. PeBenito
@ 2009-08-17 15:40 ` Manoj Srivastava
2009-09-16 15:01 ` Joshua Brindle
2 siblings, 1 reply; 18+ messages in thread
From: Manoj Srivastava @ 2009-08-17 15:40 UTC (permalink / raw)
To: selinux
On Mon, Aug 17 2009, Christopher J. PeBenito wrote:
> On Fri, 2009-08-14 at 11:50 -0500, Manoj Srivastava wrote:
>> On Fri, Aug 14 2009, Manoj Srivastava wrote:
>>
>> > I am running into an issue with sepolgen on Debian. Debian ships
>> > more than one version of the refpolicy, a default one, and a
>> > MLS enabled one. So, the include files live in either
>> > /usr/share/selinux/{default,mls}/include
>> >
>> > sepolgen (in src/sepolgen/defaults.py) sets refpolicy_devel() to
>> > a single location -- and thus, only one version of the security policy
>> > may be supported. So, sepolgen-ifgen from policycoreutils can only work
>> > with one policy, which may not be the one installed on the target
>> > machine. Could this be made configurable, somehow? As far as I can
>> > see, sepolgen's python library does not offer any way to set the value.
>> >
>> > It would be nice if the location of the include directory could
>> > be looked for from a PATH like variable setting, to make it easier for
>> > distributions to ship more than one policy, or for end users to
>> > experiment with other policies without have to overwrite the single
>> > default.
>>
>> Well, here is a kind of proof-of-concept patch (python is not my
>> strong suit), and I have only tested in that it allows the package to
>> compile, and the following code works:
> [...]
>> def refpolicy_makefile():
>> - return refpolicy_devel() + "/Makefile"
>> + chooser = PathChoooser("/etc/selinux/sepolgen.conf")
>> + return chooser("Makefile")
>>
>> def headers():
>> - return refpolicy_devel() + "/include"
>> -
>> + chooser = PathChoooser("/etc/selinux/sepolgen.conf")
>> + return chooser("include")
>> +
>
> Why are you making another config file rather than just get the policy
> name from /etc/selinux/config via selinux_getpolicytype()?
This will work well for Debian, since the development files are
installed under "/usr/share/selinux/" in a subdirectory named after the
policy. I was not sure that this convention was followed in other
distributions, though. While I am not certain, google implies that in
fedora policy type is targeted, but the devel files do not live in
/usr/share/selinux/targeted.[0]. Given that, perhaps it is better to
let the user provide guidance about how to map the policy type to a
directory?
Also, I must confess I had forgotten about this call.
However, a patch with this is trivial, so an alternate patch
follows. (Not sure this will work for fedora, so caveat emptor)
manoj
[0] http://docs.fedoraproject.org/selinux-user-guide/f11/en-US/chap-Security-Enhanced_Linux-Working_with_SELinux.html
--8<---------------cut here---------------start------------->8---
If the user installs a policy whose development files do not live under
/usr/share/selinux/devel/include, sepolgen wqould not work. Debian, for
instance, installs under:
/usr/share/selinux/{default,mls}/include
This patch uses selinux_getpolicytype() to determine the policy type, and
assumes that there is one-on-one correspondence between policytype and
the directory the development files live in.
Signed-off-by: Manoj Srivastava <srivasta@debian.org>
---
src/sepolgen/defaults.py | 4 +++-
src/sepolgen/module.py | 2 +-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/sepolgen/defaults.py b/src/sepolgen/defaults.py
index 45ce61a..85e5fb0 100644
--- a/src/sepolgen/defaults.py
+++ b/src/sepolgen/defaults.py
@@ -21,6 +21,8 @@
Various default settings, including file and directory locations.
"""
+import selinux
+
def data_dir():
return "/var/lib/sepolgen"
@@ -31,7 +33,7 @@ def interface_info():
return data_dir() + "/interface_info"
def refpolicy_devel():
- return "/usr/share/selinux/devel"
+ return "/usr/share/selinux/" + selinux.selinux_getpolicytype()[1]
def refpolicy_makefile():
return refpolicy_devel() + "/Makefile"
diff --git a/src/sepolgen/module.py b/src/sepolgen/module.py
index edd24c6..355c9b8 100644
--- a/src/sepolgen/module.py
+++ b/src/sepolgen/module.py
@@ -120,7 +120,7 @@ class ModuleCompiler:
self.semodule_package = "/usr/bin/semodule_package"
self.output = output
self.last_output = ""
- self.refpol_makefile = "/usr/share/selinux/devel/Makefile"
+ self.refpol_makefile = "/usr/share/selinux/" + selinux.selinux_getpolicytype()[1] + "/Makefile"
self.make = "/usr/bin/make"
def o(self, str):
--
1.6.3.3
--
Manoj Srivastava <srivasta@acm.org> <http://www.golden-gryphon.com/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply related [flat|nested] 18+ messages in thread
* Re: policycoreutils, sepolgen (sepolgen-ifgen) issues on Debian
2009-08-17 15:40 ` Manoj Srivastava
@ 2009-09-16 15:01 ` Joshua Brindle
2009-09-16 16:44 ` Manoj Srivastava
2009-09-16 17:10 ` Daniel J Walsh
0 siblings, 2 replies; 18+ messages in thread
From: Joshua Brindle @ 2009-09-16 15:01 UTC (permalink / raw)
To: selinux; +Cc: Daniel J Walsh, Stephen Smalley
[-- Attachment #1: Type: text/plain, Size: 5105 bytes --]
Manoj Srivastava wrote:
> On Mon, Aug 17 2009, Christopher J. PeBenito wrote:
>
>
>> On Fri, 2009-08-14 at 11:50 -0500, Manoj Srivastava wrote:
>>
>>> On Fri, Aug 14 2009, Manoj Srivastava wrote:
>>>
>>>
>>>> I am running into an issue with sepolgen on Debian. Debian ships
>>>> more than one version of the refpolicy, a default one, and a
>>>> MLS enabled one. So, the include files live in either
>>>> /usr/share/selinux/{default,mls}/include
>>>>
>>>> sepolgen (in src/sepolgen/defaults.py) sets refpolicy_devel() to
>>>> a single location -- and thus, only one version of the security policy
>>>> may be supported. So, sepolgen-ifgen from policycoreutils can only work
>>>> with one policy, which may not be the one installed on the target
>>>> machine. Could this be made configurable, somehow? As far as I can
>>>> see, sepolgen's python library does not offer any way to set the value.
>>>>
>>>> It would be nice if the location of the include directory could
>>>> be looked for from a PATH like variable setting, to make it easier for
>>>> distributions to ship more than one policy, or for end users to
>>>> experiment with other policies without have to overwrite the single
>>>> default.
>>>>
>>> Well, here is a kind of proof-of-concept patch (python is not my
>>> strong suit), and I have only tested in that it allows the package to
>>> compile, and the following code works:
>>>
>> [...]
>>
>>> def refpolicy_makefile():
>>> - return refpolicy_devel() + "/Makefile"
>>> + chooser = PathChoooser("/etc/selinux/sepolgen.conf")
>>> + return chooser("Makefile")
>>>
>>> def headers():
>>> - return refpolicy_devel() + "/include"
>>> -
>>> + chooser = PathChoooser("/etc/selinux/sepolgen.conf")
>>> + return chooser("include")
>>> +
>>>
>> Why are you making another config file rather than just get the policy
>> name from /etc/selinux/config via selinux_getpolicytype()?
>>
>
> This will work well for Debian, since the development files are
> installed under "/usr/share/selinux/" in a subdirectory named after the
> policy. I was not sure that this convention was followed in other
> distributions, though. While I am not certain, google implies that in
> fedora policy type is targeted, but the devel files do not live in
> /usr/share/selinux/targeted.[0]. Given that, perhaps it is better to
> let the user provide guidance about how to map the policy type to a
> directory?
>
> Also, I must confess I had forgotten about this call.
>
> However, a patch with this is trivial, so an alternate patch
> follows. (Not sure this will work for fedora, so caveat emptor)
>
> manoj
> [0] http://docs.fedoraproject.org/selinux-user-guide/f11/en-US/chap-Security-Enhanced_Linux-Working_with_SELinux.html
>
> --8<---------------cut here---------------start------------->8---
>
> If the user installs a policy whose development files do not live under
> /usr/share/selinux/devel/include, sepolgen wqould not work. Debian, for
> instance, installs under:
> /usr/share/selinux/{default,mls}/include
>
> This patch uses selinux_getpolicytype() to determine the policy type, and
> assumes that there is one-on-one correspondence between policytype and
> the directory the development files live in.
>
> Signed-off-by: Manoj Srivastava<srivasta@debian.org>
> ---
> src/sepolgen/defaults.py | 4 +++-
> src/sepolgen/module.py | 2 +-
> 2 files changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/src/sepolgen/defaults.py b/src/sepolgen/defaults.py
> index 45ce61a..85e5fb0 100644
> --- a/src/sepolgen/defaults.py
> +++ b/src/sepolgen/defaults.py
> @@ -21,6 +21,8 @@
> Various default settings, including file and directory locations.
> """
>
> +import selinux
> +
> def data_dir():
> return "/var/lib/sepolgen"
>
> @@ -31,7 +33,7 @@ def interface_info():
> return data_dir() + "/interface_info"
>
> def refpolicy_devel():
> - return "/usr/share/selinux/devel"
> + return "/usr/share/selinux/" + selinux.selinux_getpolicytype()[1]
>
> def refpolicy_makefile():
> return refpolicy_devel() + "/Makefile"
> diff --git a/src/sepolgen/module.py b/src/sepolgen/module.py
> index edd24c6..355c9b8 100644
> --- a/src/sepolgen/module.py
> +++ b/src/sepolgen/module.py
> @@ -120,7 +120,7 @@ class ModuleCompiler:
> self.semodule_package = "/usr/bin/semodule_package"
> self.output = output
> self.last_output = ""
> - self.refpol_makefile = "/usr/share/selinux/devel/Makefile"
> + self.refpol_makefile = "/usr/share/selinux/" + selinux.selinux_getpolicytype()[1] + "/Makefile"
> self.make = "/usr/bin/make"
>
> def o(self, str):
>
This will break Fedora/RHEL AFAIK. I don't necessarily like that RH has
interface files in /usr/share/selinux/devel rather than
/usr/share/selinux/<policy>/devel or similar but we can't break them.
Dan, any chance you could change the location of the interface files?
[-- Attachment #2: Type: text/html, Size: 5743 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: policycoreutils, sepolgen (sepolgen-ifgen) issues on Debian
2009-09-16 15:01 ` Joshua Brindle
@ 2009-09-16 16:44 ` Manoj Srivastava
2009-09-16 20:56 ` Joshua Brindle
2009-09-16 17:10 ` Daniel J Walsh
1 sibling, 1 reply; 18+ messages in thread
From: Manoj Srivastava @ 2009-09-16 16:44 UTC (permalink / raw)
To: selinux
On Wed, Sep 16 2009, Joshua Brindle wrote:
> Manoj Srivastava wrote:
>> On Mon, Aug 17 2009, Christopher J. PeBenito wrote:
>>
>>
>>> On Fri, 2009-08-14 at 11:50 -0500, Manoj Srivastava wrote:
>>>
>>>> On Fri, Aug 14 2009, Manoj Srivastava wrote:
>>>>
>>>>
>>>>> I am running into an issue with sepolgen on Debian. Debian ships
>>>>> more than one version of the refpolicy, a default one, and a
>>>>> MLS enabled one. So, the include files live in either
>>>>> /usr/share/selinux/{default,mls}/include
>>>>>
>>>>> sepolgen (in src/sepolgen/defaults.py) sets refpolicy_devel() to
>>>>> a single location -- and thus, only one version of the security policy
>>>>> may be supported. So, sepolgen-ifgen from policycoreutils can only work
>>>>> with one policy, which may not be the one installed on the target
>>>>> machine. Could this be made configurable, somehow? As far as I can
>>>>> see, sepolgen's python library does not offer any way to set the value.
>>>>>
>>>>> It would be nice if the location of the include directory could
>>>>> be looked for from a PATH like variable setting, to make it easier for
>>>>> distributions to ship more than one policy, or for end users to
>>>>> experiment with other policies without have to overwrite the single
>>>>> default.
>>>>>
>>>> Well, here is a kind of proof-of-concept patch (python is not my
>>>> strong suit), and I have only tested in that it allows the package to
>>>> compile, and the following code works:
>>>>
>>> [...]
>>>
>>>> def refpolicy_makefile():
>>>> - return refpolicy_devel() + "/Makefile"
>>>> + chooser = PathChoooser("/etc/selinux/sepolgen.conf")
>>>> + return chooser("Makefile")
>>>>
>>>> def headers():
>>>> - return refpolicy_devel() + "/include"
>>>> -
>>>> + chooser = PathChoooser("/etc/selinux/sepolgen.conf")
>>>> + return chooser("include")
>>>> +
>>>>
>>> Why are you making another config file rather than just get the policy
>>> name from /etc/selinux/config via selinux_getpolicytype()?
>>>
>>
>> This will work well for Debian, since the development files are
>> installed under "/usr/share/selinux/" in a subdirectory named after the
>> policy. I was not sure that this convention was followed in other
>> distributions, though. While I am not certain, google implies that in
>> fedora policy type is targeted, but the devel files do not live in
>> /usr/share/selinux/targeted.[0]. Given that, perhaps it is better to
>> let the user provide guidance about how to map the policy type to a
>> directory?
>>
>> Also, I must confess I had forgotten about this call.
>>
>> However, a patch with this is trivial, so an alternate patch
>> follows. (Not sure this will work for fedora, so caveat emptor)
>>
>> manoj
>> [0] http://docs.fedoraproject.org/selinux-user-guide/f11/en-US/chap-Security-Enhanced_Linux-Working_with_SELinux.html
>>
>> --8<---------------cut here---------------start------------->8---
>>
>> If the user installs a policy whose development files do not live under
>> /usr/share/selinux/devel/include, sepolgen wqould not work. Debian, for
>> instance, installs under:
>> /usr/share/selinux/{default,mls}/include
>>
>> This patch uses selinux_getpolicytype() to determine the policy type, and
>> assumes that there is one-on-one correspondence between policytype and
>> the directory the development files live in.
>>
>> Signed-off-by: Manoj Srivastava<srivasta@debian.org>
>> ---
>> src/sepolgen/defaults.py | 4 +++-
>> src/sepolgen/module.py | 2 +-
>> 2 files changed, 4 insertions(+), 2 deletions(-)
>>
>> diff --git a/src/sepolgen/defaults.py b/src/sepolgen/defaults.py
>> index 45ce61a..85e5fb0 100644
>> --- a/src/sepolgen/defaults.py
>> +++ b/src/sepolgen/defaults.py
>> @@ -21,6 +21,8 @@
>> Various default settings, including file and directory locations.
>> """
>>
>> +import selinux
>> +
>> def data_dir():
>> return "/var/lib/sepolgen"
>>
>> @@ -31,7 +33,7 @@ def interface_info():
>> return data_dir() + "/interface_info"
>>
>> def refpolicy_devel():
>> - return "/usr/share/selinux/devel"
>> + return "/usr/share/selinux/" + selinux.selinux_getpolicytype()[1]
>>
>> def refpolicy_makefile():
>> return refpolicy_devel() + "/Makefile"
>> diff --git a/src/sepolgen/module.py b/src/sepolgen/module.py
>> index edd24c6..355c9b8 100644
>> --- a/src/sepolgen/module.py
>> +++ b/src/sepolgen/module.py
>> @@ -120,7 +120,7 @@ class ModuleCompiler:
>> self.semodule_package = "/usr/bin/semodule_package"
>> self.output = output
>> self.last_output = ""
>> - self.refpol_makefile = "/usr/share/selinux/devel/Makefile"
>> + self.refpol_makefile = "/usr/share/selinux/" + selinux.selinux_getpolicytype()[1] + "/Makefile"
>> self.make = "/usr/bin/make"
>>
>> def o(self, str):
>>
>
> This will break Fedora/RHEL AFAIK. I don't necessarily like that RH
> has interface files in /usr/share/selinux/devel rather than
> /usr/share/selinux/<policy>/devel or similar but we can't break them.
Yes, I know it breaks RHEL, which is why I would prefer the
other patch I sent in first (re-attached below); this uses a
configuration file instead.
> Dan, any chance you could change the location of the interface files?
Or that would work.
manoj
--8<---------------cut here---------------start------------->8---
import defaults
# The following looks for /etc/selinux/sepolgen.conf that
# does not exist
print defaults.refpolicy_makefile()
print defaults.headers()
# Create a configuration file
testfd = open("/tmp/pathchooser.conf", "w")
print >>testfd, "# This is a comment"
print >>testfd, " # An empty line will follow"
print >>testfd, ""
print >>testfd, "SELINUX_DEVEL_PATH = /:/etc:/usr/share/selinux/default:/usr/share/selinux/mls:/usr/share/selinux/devel"
print >>testfd, "FOO= bar:baz"
testfd.close()
# Specify a non default config file, that has /etc in it
chooser = defaults.PathChoooser("/tmp/pathchooser.conf")
print chooser("passwd")
--8<---------------cut here---------------end--------------->8---
manoj
Signed-off-by: Enrico Zini <enrico@debian.org>
Signed-off-by: Manoj Srivastava <srivasta@debian.org>
---
src/sepolgen/defaults.py | 47 +++++++++++++++++++++++++++++++++++++++------
1 files changed, 40 insertions(+), 7 deletions(-)
diff --git a/src/sepolgen/defaults.py b/src/sepolgen/defaults.py
index 45ce61a..906c058 100644
--- a/src/sepolgen/defaults.py
+++ b/src/sepolgen/defaults.py
@@ -1,6 +1,6 @@
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
#
-# Copyright (C) 2006 Red Hat
+# Copyright (C) 2006 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or
@@ -17,6 +17,40 @@
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
+import os
+import re
+
+# Select the correct location for the development files based on a
+# path variable (optionally read from a configuration file)
+class PathChoooser(object):
+ def __init__(self, pathname):
+ self.config = dict()
+ if not os.path.exists(pathname):
+ self.config_pathname = "(defaults)"
+ self.config["SELINUX_DEVEL_PATH"] = "/usr/share/selinux/default:/usr/share/selinux/mls:/usr/share/selinux/devel"
+ return
+ self.config_pathname = pathname
+ ignore = re.compile(r"^\s*(?:#.+)?$")
+ consider = re.compile(r"^\s*(\w+)\s*=\s*(.+?)\s*$")
+ for lineno, line in enumerate(open(pathname)):
+ if ignore.match(line): continue
+ mo = consider.match(line)
+ if not mo:
+ raise ValueError, "%s:%d: line is not in key = value format" % (pathname, lineno+1)
+ self.config[mo.group(1)] = mo.group(2)
+
+ # We're only exporting one useful function, so why not be a function
+ def __call__(self, testfilename, pathset="SELINUX_DEVEL_PATH"):
+ paths = self.config.get(pathset, None)
+ if paths is None:
+ raise ValueError, "%s was not in %s" % (pathset, self.config_pathname)
+ paths = paths.split(":")
+ for p in paths:
+ target = os.path.join(p, testfilename)
+ if os.path.exists(target): return target
+ return os.path.join(paths[0], testfilename)
+
+
"""
Various default settings, including file and directory locations.
"""
@@ -30,12 +64,11 @@ def perm_map():
def interface_info():
return data_dir() + "/interface_info"
-def refpolicy_devel():
- return "/usr/share/selinux/devel"
-
def refpolicy_makefile():
- return refpolicy_devel() + "/Makefile"
+ chooser = PathChoooser("/etc/selinux/sepolgen.conf")
+ return chooser("Makefile")
def headers():
- return refpolicy_devel() + "/include"
-
+ chooser = PathChoooser("/etc/selinux/sepolgen.conf")
+ return chooser("include")
+
--
1.6.3.3
--
Manoj Srivastava <srivasta@acm.org> <http://www.golden-gryphon.com/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply related [flat|nested] 18+ messages in thread
* Re: policycoreutils, sepolgen (sepolgen-ifgen) issues on Debian
2009-09-16 15:01 ` Joshua Brindle
2009-09-16 16:44 ` Manoj Srivastava
@ 2009-09-16 17:10 ` Daniel J Walsh
2009-09-16 17:14 ` Joshua Brindle
2010-05-13 19:11 ` Stephen Smalley
1 sibling, 2 replies; 18+ messages in thread
From: Daniel J Walsh @ 2009-09-16 17:10 UTC (permalink / raw)
To: Joshua Brindle; +Cc: selinux, Stephen Smalley
On 09/16/2009 11:01 AM, Joshua Brindle wrote:
>
>
> Manoj Srivastava wrote:
>> On Mon, Aug 17 2009, Christopher J. PeBenito wrote:
>>
>>
>>> On Fri, 2009-08-14 at 11:50 -0500, Manoj Srivastava wrote:
>>>
>>>> On Fri, Aug 14 2009, Manoj Srivastava wrote:
>>>>
>>>>
>>>>> I am running into an issue with sepolgen on Debian. Debian
>>>>> ships
>>>>> more than one version of the refpolicy, a default one, and a
>>>>> MLS enabled one. So, the include files live in either
>>>>> /usr/share/selinux/{default,mls}/include
>>>>>
>>>>> sepolgen (in src/sepolgen/defaults.py) sets
>>>>> refpolicy_devel() to
>>>>> a single location -- and thus, only one version of the security
>>>>> policy
>>>>> may be supported. So, sepolgen-ifgen from policycoreutils can
>>>>> only work
>>>>> with one policy, which may not be the one installed on the target
>>>>> machine. Could this be made configurable, somehow? As far as I can
>>>>> see, sepolgen's python library does not offer any way to set the
>>>>> value.
>>>>>
>>>>> It would be nice if the location of the include directory
>>>>> could
>>>>> be looked for from a PATH like variable setting, to make it
>>>>> easier for
>>>>> distributions to ship more than one policy, or for end users to
>>>>> experiment with other policies without have to overwrite the single
>>>>> default.
>>>>>
>>>> Well, here is a kind of proof-of-concept patch (python is
>>>> not my
>>>> strong suit), and I have only tested in that it allows the package to
>>>> compile, and the following code works:
>>>>
>>> [...]
>>>
>>>> def refpolicy_makefile():
>>>> - return refpolicy_devel() + "/Makefile"
>>>> + chooser = PathChoooser("/etc/selinux/sepolgen.conf")
>>>> + return chooser("Makefile")
>>>>
>>>> def headers():
>>>> - return refpolicy_devel() + "/include"
>>>> -
>>>> + chooser = PathChoooser("/etc/selinux/sepolgen.conf")
>>>> + return chooser("include")
>>>> +
>>>>
>>> Why are you making another config file rather than just get the policy
>>> name from /etc/selinux/config via selinux_getpolicytype()?
>>>
>>
>> This will work well for Debian, since the development files are
>> installed under "/usr/share/selinux/" in a subdirectory named after the
>> policy. I was not sure that this convention was followed in other
>> distributions, though. While I am not certain, google implies that in
>> fedora policy type is targeted, but the devel files do not live in
>> /usr/share/selinux/targeted.[0]. Given that, perhaps it is better to
>> let the user provide guidance about how to map the policy type to a
>> directory?
>>
>> Also, I must confess I had forgotten about this call.
>>
>> However, a patch with this is trivial, so an alternate patch
>> follows. (Not sure this will work for fedora, so caveat emptor)
>>
>> manoj
>> [0]
>> http://docs.fedoraproject.org/selinux-user-guide/f11/en-US/chap-Security-Enhanced_Linux-Working_with_SELinux.html
>>
>>
>> --8<---------------cut here---------------start------------->8---
>>
>> If the user installs a policy whose development files do not live under
>> /usr/share/selinux/devel/include, sepolgen wqould not work. Debian, for
>> instance, installs under:
>> /usr/share/selinux/{default,mls}/include
>>
>> This patch uses selinux_getpolicytype() to determine the policy type, and
>> assumes that there is one-on-one correspondence between policytype and
>> the directory the development files live in.
>>
>> Signed-off-by: Manoj Srivastava<srivasta@debian.org>
>> ---
>> src/sepolgen/defaults.py | 4 +++-
>> src/sepolgen/module.py | 2 +-
>> 2 files changed, 4 insertions(+), 2 deletions(-)
>>
>> diff --git a/src/sepolgen/defaults.py b/src/sepolgen/defaults.py
>> index 45ce61a..85e5fb0 100644
>> --- a/src/sepolgen/defaults.py
>> +++ b/src/sepolgen/defaults.py
>> @@ -21,6 +21,8 @@
>> Various default settings, including file and directory locations.
>> """
>>
>> +import selinux
>> +
>> def data_dir():
>> return "/var/lib/sepolgen"
>>
>> @@ -31,7 +33,7 @@ def interface_info():
>> return data_dir() + "/interface_info"
>>
>> def refpolicy_devel():
>> - return "/usr/share/selinux/devel"
>> + return "/usr/share/selinux/" + selinux.selinux_getpolicytype()[1]
>>
>> def refpolicy_makefile():
>> return refpolicy_devel() + "/Makefile"
>> diff --git a/src/sepolgen/module.py b/src/sepolgen/module.py
>> index edd24c6..355c9b8 100644
>> --- a/src/sepolgen/module.py
>> +++ b/src/sepolgen/module.py
>> @@ -120,7 +120,7 @@ class ModuleCompiler:
>> self.semodule_package = "/usr/bin/semodule_package"
>> self.output = output
>> self.last_output = ""
>> - self.refpol_makefile = "/usr/share/selinux/devel/Makefile"
>> + self.refpol_makefile = "/usr/share/selinux/" +
>> selinux.selinux_getpolicytype()[1] + "/Makefile"
>> self.make = "/usr/bin/make"
>>
>> def o(self, str):
>>
>
> This will break Fedora/RHEL AFAIK. I don't necessarily like that RH has
> interface files in /usr/share/selinux/devel rather than
> /usr/share/selinux/<policy>/devel or similar but we can't break them.
>
> Dan, any chance you could change the location of the interface files?
>
>
We could carry a patch although I don't think anyone is shipping different interfaces for different policies.
We could add a link in each policy types back to the devel environment.
Or do /usr/share/selinux/POLICYTYPE/devel/Makefile and on RHEL and Fedora systems
have /usr/share/selinux/POLICYTYPE/devel -> /usr/share/selinux/devel/
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: policycoreutils, sepolgen (sepolgen-ifgen) issues on Debian
2009-09-16 17:10 ` Daniel J Walsh
@ 2009-09-16 17:14 ` Joshua Brindle
2009-09-16 17:29 ` Daniel J Walsh
2010-05-13 19:11 ` Stephen Smalley
1 sibling, 1 reply; 18+ messages in thread
From: Joshua Brindle @ 2009-09-16 17:14 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: selinux, Stephen Smalley
[-- Attachment #1: Type: text/plain, Size: 6502 bytes --]
Daniel J Walsh wrote:
> On 09/16/2009 11:01 AM, Joshua Brindle wrote:
>
>> Manoj Srivastava wrote:
>>
>>> On Mon, Aug 17 2009, Christopher J. PeBenito wrote:
>>>
>>>
>>>
>>>> On Fri, 2009-08-14 at 11:50 -0500, Manoj Srivastava wrote:
>>>>
>>>>
>>>>> On Fri, Aug 14 2009, Manoj Srivastava wrote:
>>>>>
>>>>>
>>>>>
>>>>>> I am running into an issue with sepolgen on Debian. Debian
>>>>>> ships
>>>>>> more than one version of the refpolicy, a default one, and a
>>>>>> MLS enabled one. So, the include files live in either
>>>>>> /usr/share/selinux/{default,mls}/include
>>>>>>
>>>>>> sepolgen (in src/sepolgen/defaults.py) sets
>>>>>> refpolicy_devel() to
>>>>>> a single location -- and thus, only one version of the security
>>>>>> policy
>>>>>> may be supported. So, sepolgen-ifgen from policycoreutils can
>>>>>> only work
>>>>>> with one policy, which may not be the one installed on the target
>>>>>> machine. Could this be made configurable, somehow? As far as I can
>>>>>> see, sepolgen's python library does not offer any way to set the
>>>>>> value.
>>>>>>
>>>>>> It would be nice if the location of the include directory
>>>>>> could
>>>>>> be looked for from a PATH like variable setting, to make it
>>>>>> easier for
>>>>>> distributions to ship more than one policy, or for end users to
>>>>>> experiment with other policies without have to overwrite the single
>>>>>> default.
>>>>>>
>>>>>>
>>>>> Well, here is a kind of proof-of-concept patch (python is
>>>>> not my
>>>>> strong suit), and I have only tested in that it allows the package to
>>>>> compile, and the following code works:
>>>>>
>>>>>
>>>> [...]
>>>>
>>>>
>>>>> def refpolicy_makefile():
>>>>> - return refpolicy_devel() + "/Makefile"
>>>>> + chooser = PathChoooser("/etc/selinux/sepolgen.conf")
>>>>> + return chooser("Makefile")
>>>>>
>>>>> def headers():
>>>>> - return refpolicy_devel() + "/include"
>>>>> -
>>>>> + chooser = PathChoooser("/etc/selinux/sepolgen.conf")
>>>>> + return chooser("include")
>>>>> +
>>>>>
>>>>>
>>>> Why are you making another config file rather than just get the policy
>>>> name from /etc/selinux/config via selinux_getpolicytype()?
>>>>
>>>>
>>> This will work well for Debian, since the development files are
>>> installed under "/usr/share/selinux/" in a subdirectory named after the
>>> policy. I was not sure that this convention was followed in other
>>> distributions, though. While I am not certain, google implies that in
>>> fedora policy type is targeted, but the devel files do not live in
>>> /usr/share/selinux/targeted.[0]. Given that, perhaps it is better to
>>> let the user provide guidance about how to map the policy type to a
>>> directory?
>>>
>>> Also, I must confess I had forgotten about this call.
>>>
>>> However, a patch with this is trivial, so an alternate patch
>>> follows. (Not sure this will work for fedora, so caveat emptor)
>>>
>>> manoj
>>> [0]
>>> http://docs.fedoraproject.org/selinux-user-guide/f11/en-US/chap-Security-Enhanced_Linux-Working_with_SELinux.html
>>>
>>>
>>> --8<---------------cut here---------------start------------->8---
>>>
>>> If the user installs a policy whose development files do not live under
>>> /usr/share/selinux/devel/include, sepolgen wqould not work. Debian, for
>>> instance, installs under:
>>> /usr/share/selinux/{default,mls}/include
>>>
>>> This patch uses selinux_getpolicytype() to determine the policy type, and
>>> assumes that there is one-on-one correspondence between policytype and
>>> the directory the development files live in.
>>>
>>> Signed-off-by: Manoj Srivastava<srivasta@debian.org>
>>> ---
>>> src/sepolgen/defaults.py | 4 +++-
>>> src/sepolgen/module.py | 2 +-
>>> 2 files changed, 4 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/src/sepolgen/defaults.py b/src/sepolgen/defaults.py
>>> index 45ce61a..85e5fb0 100644
>>> --- a/src/sepolgen/defaults.py
>>> +++ b/src/sepolgen/defaults.py
>>> @@ -21,6 +21,8 @@
>>> Various default settings, including file and directory locations.
>>> """
>>>
>>> +import selinux
>>> +
>>> def data_dir():
>>> return "/var/lib/sepolgen"
>>>
>>> @@ -31,7 +33,7 @@ def interface_info():
>>> return data_dir() + "/interface_info"
>>>
>>> def refpolicy_devel():
>>> - return "/usr/share/selinux/devel"
>>> + return "/usr/share/selinux/" + selinux.selinux_getpolicytype()[1]
>>>
>>> def refpolicy_makefile():
>>> return refpolicy_devel() + "/Makefile"
>>> diff --git a/src/sepolgen/module.py b/src/sepolgen/module.py
>>> index edd24c6..355c9b8 100644
>>> --- a/src/sepolgen/module.py
>>> +++ b/src/sepolgen/module.py
>>> @@ -120,7 +120,7 @@ class ModuleCompiler:
>>> self.semodule_package = "/usr/bin/semodule_package"
>>> self.output = output
>>> self.last_output = ""
>>> - self.refpol_makefile = "/usr/share/selinux/devel/Makefile"
>>> + self.refpol_makefile = "/usr/share/selinux/" +
>>> selinux.selinux_getpolicytype()[1] + "/Makefile"
>>> self.make = "/usr/bin/make"
>>>
>>> def o(self, str):
>>>
>>>
>> This will break Fedora/RHEL AFAIK. I don't necessarily like that RH has
>> interface files in /usr/share/selinux/devel rather than
>> /usr/share/selinux/<policy>/devel or similar but we can't break them.
>>
>> Dan, any chance you could change the location of the interface files?
>>
>>
>>
> We could carry a patch although I don't think anyone is shipping different interfaces for different policies.
>
>
I'm not willing to break upstream behavior and force you to carry a
patch for something that previously worked.
Perhaps not for distro shipped policies but for custom policies I know
interfaces are changed and if the developers on those end systems want
to use sepolgen for interface matching they have to over write the
distro shipped interface files.
> We could add a link in each policy types back to the devel environment.
> Or do /usr/share/selinux/POLICYTYPE/devel/Makefile and on RHEL and Fedora systems
> have /usr/share/selinux/POLICYTYPE/devel -> /usr/share/selinux/devel/
>
>
wasn't this done in the past? I remember a symlink being there but can't
remember why it was removed (unless I'm misremembering)
[-- Attachment #2: Type: text/html, Size: 7117 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: policycoreutils, sepolgen (sepolgen-ifgen) issues on Debian
2009-09-16 17:14 ` Joshua Brindle
@ 2009-09-16 17:29 ` Daniel J Walsh
2009-09-16 19:52 ` Joshua Brindle
0 siblings, 1 reply; 18+ messages in thread
From: Daniel J Walsh @ 2009-09-16 17:29 UTC (permalink / raw)
To: Joshua Brindle; +Cc: selinux, Stephen Smalley
On 09/16/2009 01:14 PM, Joshua Brindle wrote:
>
>
> Daniel J Walsh wrote:
>> On 09/16/2009 11:01 AM, Joshua Brindle wrote:
>>
>>> Manoj Srivastava wrote:
>>>
>>>> On Mon, Aug 17 2009, Christopher J. PeBenito wrote:
>>>>
>>>>
>>>>
>>>>> On Fri, 2009-08-14 at 11:50 -0500, Manoj Srivastava wrote:
>>>>>
>>>>>
>>>>>> On Fri, Aug 14 2009, Manoj Srivastava wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>> I am running into an issue with sepolgen on Debian. Debian
>>>>>>> ships
>>>>>>> more than one version of the refpolicy, a default one, and a
>>>>>>> MLS enabled one. So, the include files live in either
>>>>>>> /usr/share/selinux/{default,mls}/include
>>>>>>>
>>>>>>> sepolgen (in src/sepolgen/defaults.py) sets
>>>>>>> refpolicy_devel() to
>>>>>>> a single location -- and thus, only one version of the security
>>>>>>> policy
>>>>>>> may be supported. So, sepolgen-ifgen from policycoreutils can
>>>>>>> only work
>>>>>>> with one policy, which may not be the one installed on the target
>>>>>>> machine. Could this be made configurable, somehow? As far as I
>>>>>>> can
>>>>>>> see, sepolgen's python library does not offer any way to set the
>>>>>>> value.
>>>>>>>
>>>>>>> It would be nice if the location of the include directory
>>>>>>> could
>>>>>>> be looked for from a PATH like variable setting, to make it
>>>>>>> easier for
>>>>>>> distributions to ship more than one policy, or for end users to
>>>>>>> experiment with other policies without have to overwrite the
>>>>>>> single
>>>>>>> default.
>>>>>>>
>>>>>>>
>>>>>> Well, here is a kind of proof-of-concept patch (python is
>>>>>> not my
>>>>>> strong suit), and I have only tested in that it allows the
>>>>>> package to
>>>>>> compile, and the following code works:
>>>>>>
>>>>>>
>>>>> [...]
>>>>>
>>>>>
>>>>>> def refpolicy_makefile():
>>>>>> - return refpolicy_devel() + "/Makefile"
>>>>>> + chooser = PathChoooser("/etc/selinux/sepolgen.conf")
>>>>>> + return chooser("Makefile")
>>>>>>
>>>>>> def headers():
>>>>>> - return refpolicy_devel() + "/include"
>>>>>> -
>>>>>> + chooser = PathChoooser("/etc/selinux/sepolgen.conf")
>>>>>> + return chooser("include")
>>>>>> +
>>>>>>
>>>>>>
>>>>> Why are you making another config file rather than just get the policy
>>>>> name from /etc/selinux/config via selinux_getpolicytype()?
>>>>>
>>>>>
>>>> This will work well for Debian, since the development
>>>> files are
>>>> installed under "/usr/share/selinux/" in a subdirectory named
>>>> after the
>>>> policy. I was not sure that this convention was followed in other
>>>> distributions, though. While I am not certain, google implies
>>>> that in
>>>> fedora policy type is targeted, but the devel files do not live in
>>>> /usr/share/selinux/targeted.[0]. Given that, perhaps it is better to
>>>> let the user provide guidance about how to map the policy type to a
>>>> directory?
>>>>
>>>> Also, I must confess I had forgotten about this call.
>>>>
>>>> However, a patch with this is trivial, so an alternate patch
>>>> follows. (Not sure this will work for fedora, so caveat emptor)
>>>>
>>>> manoj
>>>> [0]
>>>> http://docs.fedoraproject.org/selinux-user-guide/f11/en-US/chap-Security-Enhanced_Linux-Working_with_SELinux.html
>>>>
>>>>
>>>>
>>>> --8<---------------cut here---------------start------------->8---
>>>>
>>>> If the user installs a policy whose development files do not live under
>>>> /usr/share/selinux/devel/include, sepolgen wqould not work. Debian, for
>>>> instance, installs under:
>>>> /usr/share/selinux/{default,mls}/include
>>>>
>>>> This patch uses selinux_getpolicytype() to determine the policy
>>>> type, and
>>>> assumes that there is one-on-one correspondence between policytype and
>>>> the directory the development files live in.
>>>>
>>>> Signed-off-by: Manoj Srivastava<srivasta@debian.org>
>>>> ---
>>>> src/sepolgen/defaults.py | 4 +++-
>>>> src/sepolgen/module.py | 2 +-
>>>> 2 files changed, 4 insertions(+), 2 deletions(-)
>>>>
>>>> diff --git a/src/sepolgen/defaults.py b/src/sepolgen/defaults.py
>>>> index 45ce61a..85e5fb0 100644
>>>> --- a/src/sepolgen/defaults.py
>>>> +++ b/src/sepolgen/defaults.py
>>>> @@ -21,6 +21,8 @@
>>>> Various default settings, including file and directory locations.
>>>> """
>>>>
>>>> +import selinux
>>>> +
>>>> def data_dir():
>>>> return "/var/lib/sepolgen"
>>>>
>>>> @@ -31,7 +33,7 @@ def interface_info():
>>>> return data_dir() + "/interface_info"
>>>>
>>>> def refpolicy_devel():
>>>> - return "/usr/share/selinux/devel"
>>>> + return "/usr/share/selinux/" + selinux.selinux_getpolicytype()[1]
>>>>
>>>> def refpolicy_makefile():
>>>> return refpolicy_devel() + "/Makefile"
>>>> diff --git a/src/sepolgen/module.py b/src/sepolgen/module.py
>>>> index edd24c6..355c9b8 100644
>>>> --- a/src/sepolgen/module.py
>>>> +++ b/src/sepolgen/module.py
>>>> @@ -120,7 +120,7 @@ class ModuleCompiler:
>>>> self.semodule_package = "/usr/bin/semodule_package"
>>>> self.output = output
>>>> self.last_output = ""
>>>> - self.refpol_makefile = "/usr/share/selinux/devel/Makefile"
>>>> + self.refpol_makefile = "/usr/share/selinux/" +
>>>> selinux.selinux_getpolicytype()[1] + "/Makefile"
>>>> self.make = "/usr/bin/make"
>>>>
>>>> def o(self, str):
>>>>
>>>>
>>> This will break Fedora/RHEL AFAIK. I don't necessarily like that RH has
>>> interface files in /usr/share/selinux/devel rather than
>>> /usr/share/selinux/<policy>/devel or similar but we can't break them.
>>>
>>> Dan, any chance you could change the location of the interface files?
>>>
>>>
>>>
>> We could carry a patch although I don't think anyone is shipping
>> different interfaces for different policies.
>>
>>
>
> I'm not willing to break upstream behavior and force you to carry a
> patch for something that previously worked.
>
> Perhaps not for distro shipped policies but for custom policies I know
> interfaces are changed and if the developers on those end systems want
> to use sepolgen for interface matching they have to over write the
> distro shipped interface files.
>
>> We could add a link in each policy types back to the devel environment.
>> Or do /usr/share/selinux/POLICYTYPE/devel/Makefile and on RHEL and
>> Fedora systems
>> have /usr/share/selinux/POLICYTYPE/devel -> /usr/share/selinux/devel/
>>
>>
>
> wasn't this done in the past? I remember a symlink being there but can't
> remember why it was removed (unless I'm misremembering)
>
It was there in the past, but "devel" was a separate package and in some cases we ended up with a dangling link.
devel has since been moved into the selinux-policy package so it would not be a problem any longer.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: policycoreutils, sepolgen (sepolgen-ifgen) issues on Debian
2009-09-16 17:29 ` Daniel J Walsh
@ 2009-09-16 19:52 ` Joshua Brindle
2009-09-16 20:23 ` Daniel J Walsh
0 siblings, 1 reply; 18+ messages in thread
From: Joshua Brindle @ 2009-09-16 19:52 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: selinux, Stephen Smalley
Daniel J Walsh wrote:
> On 09/16/2009 01:14 PM, Joshua Brindle wrote:
>>
>> Daniel J Walsh wrote:
>>> On 09/16/2009 11:01 AM, Joshua Brindle wrote:
>>>
>>>> Manoj Srivastava wrote:
>>>>
>>>>> On Mon, Aug 17 2009, Christopher J. PeBenito wrote:
>>>>>
>>>>>
>>>>>
>>>>>> On Fri, 2009-08-14 at 11:50 -0500, Manoj Srivastava wrote:
>>>>>>
>>>>>>
>>>>>>> On Fri, Aug 14 2009, Manoj Srivastava wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> I am running into an issue with sepolgen on Debian. Debian
>>>>>>>> ships
>>>>>>>> more than one version of the refpolicy, a default one, and a
>>>>>>>> MLS enabled one. So, the include files live in either
>>>>>>>> /usr/share/selinux/{default,mls}/include
>>>>>>>>
>>>>>>>> sepolgen (in src/sepolgen/defaults.py) sets
>>>>>>>> refpolicy_devel() to
>>>>>>>> a single location -- and thus, only one version of the security
>>>>>>>> policy
>>>>>>>> may be supported. So, sepolgen-ifgen from policycoreutils can
>>>>>>>> only work
>>>>>>>> with one policy, which may not be the one installed on the target
>>>>>>>> machine. Could this be made configurable, somehow? As far as I
>>>>>>>> can
>>>>>>>> see, sepolgen's python library does not offer any way to set the
>>>>>>>> value.
>>>>>>>>
>>>>>>>> It would be nice if the location of the include directory
>>>>>>>> could
>>>>>>>> be looked for from a PATH like variable setting, to make it
>>>>>>>> easier for
>>>>>>>> distributions to ship more than one policy, or for end users to
>>>>>>>> experiment with other policies without have to overwrite the
>>>>>>>> single
>>>>>>>> default.
>>>>>>>>
>>>>>>>>
>>>>>>> Well, here is a kind of proof-of-concept patch (python is
>>>>>>> not my
>>>>>>> strong suit), and I have only tested in that it allows the
>>>>>>> package to
>>>>>>> compile, and the following code works:
>>>>>>>
>>>>>>>
>>>>>> [...]
>>>>>>
>>>>>>
>>>>>>> def refpolicy_makefile():
>>>>>>> - return refpolicy_devel() + "/Makefile"
>>>>>>> + chooser = PathChoooser("/etc/selinux/sepolgen.conf")
>>>>>>> + return chooser("Makefile")
>>>>>>>
>>>>>>> def headers():
>>>>>>> - return refpolicy_devel() + "/include"
>>>>>>> -
>>>>>>> + chooser = PathChoooser("/etc/selinux/sepolgen.conf")
>>>>>>> + return chooser("include")
>>>>>>> +
>>>>>>>
>>>>>>>
>>>>>> Why are you making another config file rather than just get the policy
>>>>>> name from /etc/selinux/config via selinux_getpolicytype()?
>>>>>>
>>>>>>
>>>>> This will work well for Debian, since the development
>>>>> files are
>>>>> installed under "/usr/share/selinux/" in a subdirectory named
>>>>> after the
>>>>> policy. I was not sure that this convention was followed in other
>>>>> distributions, though. While I am not certain, google implies
>>>>> that in
>>>>> fedora policy type is targeted, but the devel files do not live in
>>>>> /usr/share/selinux/targeted.[0]. Given that, perhaps it is better to
>>>>> let the user provide guidance about how to map the policy type to a
>>>>> directory?
>>>>>
>>>>> Also, I must confess I had forgotten about this call.
>>>>>
>>>>> However, a patch with this is trivial, so an alternate patch
>>>>> follows. (Not sure this will work for fedora, so caveat emptor)
>>>>>
>>>>> manoj
>>>>> [0]
>>>>> http://docs.fedoraproject.org/selinux-user-guide/f11/en-US/chap-Security-Enhanced_Linux-Working_with_SELinux.html
>>>>>
>>>>>
>>>>>
>>>>> --8<---------------cut here---------------start------------->8---
>>>>>
>>>>> If the user installs a policy whose development files do not live under
>>>>> /usr/share/selinux/devel/include, sepolgen wqould not work. Debian, for
>>>>> instance, installs under:
>>>>> /usr/share/selinux/{default,mls}/include
>>>>>
>>>>> This patch uses selinux_getpolicytype() to determine the policy
>>>>> type, and
>>>>> assumes that there is one-on-one correspondence between policytype and
>>>>> the directory the development files live in.
>>>>>
>>>>> Signed-off-by: Manoj Srivastava<srivasta@debian.org>
>>>>> ---
>>>>> src/sepolgen/defaults.py | 4 +++-
>>>>> src/sepolgen/module.py | 2 +-
>>>>> 2 files changed, 4 insertions(+), 2 deletions(-)
>>>>>
>>>>> diff --git a/src/sepolgen/defaults.py b/src/sepolgen/defaults.py
>>>>> index 45ce61a..85e5fb0 100644
>>>>> --- a/src/sepolgen/defaults.py
>>>>> +++ b/src/sepolgen/defaults.py
>>>>> @@ -21,6 +21,8 @@
>>>>> Various default settings, including file and directory locations.
>>>>> """
>>>>>
>>>>> +import selinux
>>>>> +
>>>>> def data_dir():
>>>>> return "/var/lib/sepolgen"
>>>>>
>>>>> @@ -31,7 +33,7 @@ def interface_info():
>>>>> return data_dir() + "/interface_info"
>>>>>
>>>>> def refpolicy_devel():
>>>>> - return "/usr/share/selinux/devel"
>>>>> + return "/usr/share/selinux/" + selinux.selinux_getpolicytype()[1]
>>>>>
>>>>> def refpolicy_makefile():
>>>>> return refpolicy_devel() + "/Makefile"
>>>>> diff --git a/src/sepolgen/module.py b/src/sepolgen/module.py
>>>>> index edd24c6..355c9b8 100644
>>>>> --- a/src/sepolgen/module.py
>>>>> +++ b/src/sepolgen/module.py
>>>>> @@ -120,7 +120,7 @@ class ModuleCompiler:
>>>>> self.semodule_package = "/usr/bin/semodule_package"
>>>>> self.output = output
>>>>> self.last_output = ""
>>>>> - self.refpol_makefile = "/usr/share/selinux/devel/Makefile"
>>>>> + self.refpol_makefile = "/usr/share/selinux/" +
>>>>> selinux.selinux_getpolicytype()[1] + "/Makefile"
>>>>> self.make = "/usr/bin/make"
>>>>>
>>>>> def o(self, str):
>>>>>
>>>>>
>>>> This will break Fedora/RHEL AFAIK. I don't necessarily like that RH has
>>>> interface files in /usr/share/selinux/devel rather than
>>>> /usr/share/selinux/<policy>/devel or similar but we can't break them.
>>>>
>>>> Dan, any chance you could change the location of the interface files?
>>>>
>>>>
>>>>
>>> We could carry a patch although I don't think anyone is shipping
>>> different interfaces for different policies.
>>>
>>>
>> I'm not willing to break upstream behavior and force you to carry a
>> patch for something that previously worked.
>>
>> Perhaps not for distro shipped policies but for custom policies I know
>> interfaces are changed and if the developers on those end systems want
>> to use sepolgen for interface matching they have to over write the
>> distro shipped interface files.
>>
>>> We could add a link in each policy types back to the devel environment.
>>> Or do /usr/share/selinux/POLICYTYPE/devel/Makefile and on RHEL and
>>> Fedora systems
>>> have /usr/share/selinux/POLICYTYPE/devel -> /usr/share/selinux/devel/
>>>
>>>
>> wasn't this done in the past? I remember a symlink being there but can't
>> remember why it was removed (unless I'm misremembering)
>>
> It was there in the past, but "devel" was a separate package and in some cases we ended up with a dangling link.
> devel has since been moved into the selinux-policy package so it would not be a problem any longer.
>
So you'd need to update the policy package before we pull this in
upstream. Just let me know when that has been done.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: policycoreutils, sepolgen (sepolgen-ifgen) issues on Debian
2009-09-16 19:52 ` Joshua Brindle
@ 2009-09-16 20:23 ` Daniel J Walsh
0 siblings, 0 replies; 18+ messages in thread
From: Daniel J Walsh @ 2009-09-16 20:23 UTC (permalink / raw)
To: Joshua Brindle; +Cc: selinux, Stephen Smalley
On 09/16/2009 03:52 PM, Joshua Brindle wrote:
>
>
> Daniel J Walsh wrote:
>> On 09/16/2009 01:14 PM, Joshua Brindle wrote:
>>>
>>> Daniel J Walsh wrote:
>>>> On 09/16/2009 11:01 AM, Joshua Brindle wrote:
>>>>
>>>>> Manoj Srivastava wrote:
>>>>>
>>>>>> On Mon, Aug 17 2009, Christopher J. PeBenito wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>> On Fri, 2009-08-14 at 11:50 -0500, Manoj Srivastava wrote:
>>>>>>>
>>>>>>>
>>>>>>>> On Fri, Aug 14 2009, Manoj Srivastava wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> I am running into an issue with sepolgen on Debian.
>>>>>>>>> Debian
>>>>>>>>> ships
>>>>>>>>> more than one version of the refpolicy, a default one, and a
>>>>>>>>> MLS enabled one. So, the include files live in either
>>>>>>>>> /usr/share/selinux/{default,mls}/include
>>>>>>>>>
>>>>>>>>> sepolgen (in src/sepolgen/defaults.py) sets
>>>>>>>>> refpolicy_devel() to
>>>>>>>>> a single location -- and thus, only one version of the
>>>>>>>>> security
>>>>>>>>> policy
>>>>>>>>> may be supported. So, sepolgen-ifgen from policycoreutils can
>>>>>>>>> only work
>>>>>>>>> with one policy, which may not be the one installed on the
>>>>>>>>> target
>>>>>>>>> machine. Could this be made configurable, somehow? As far as I
>>>>>>>>> can
>>>>>>>>> see, sepolgen's python library does not offer any way to
>>>>>>>>> set the
>>>>>>>>> value.
>>>>>>>>>
>>>>>>>>> It would be nice if the location of the include
>>>>>>>>> directory
>>>>>>>>> could
>>>>>>>>> be looked for from a PATH like variable setting, to make it
>>>>>>>>> easier for
>>>>>>>>> distributions to ship more than one policy, or for end
>>>>>>>>> users to
>>>>>>>>> experiment with other policies without have to overwrite the
>>>>>>>>> single
>>>>>>>>> default.
>>>>>>>>>
>>>>>>>>>
>>>>>>>> Well, here is a kind of proof-of-concept patch
>>>>>>>> (python is
>>>>>>>> not my
>>>>>>>> strong suit), and I have only tested in that it allows the
>>>>>>>> package to
>>>>>>>> compile, and the following code works:
>>>>>>>>
>>>>>>>>
>>>>>>> [...]
>>>>>>>
>>>>>>>
>>>>>>>> def refpolicy_makefile():
>>>>>>>> - return refpolicy_devel() + "/Makefile"
>>>>>>>> + chooser = PathChoooser("/etc/selinux/sepolgen.conf")
>>>>>>>> + return chooser("Makefile")
>>>>>>>>
>>>>>>>> def headers():
>>>>>>>> - return refpolicy_devel() + "/include"
>>>>>>>> -
>>>>>>>> + chooser = PathChoooser("/etc/selinux/sepolgen.conf")
>>>>>>>> + return chooser("include")
>>>>>>>> +
>>>>>>>>
>>>>>>>>
>>>>>>> Why are you making another config file rather than just get the
>>>>>>> policy
>>>>>>> name from /etc/selinux/config via selinux_getpolicytype()?
>>>>>>>
>>>>>>>
>>>>>> This will work well for Debian, since the development
>>>>>> files are
>>>>>> installed under "/usr/share/selinux/" in a subdirectory named
>>>>>> after the
>>>>>> policy. I was not sure that this convention was followed in other
>>>>>> distributions, though. While I am not certain, google implies
>>>>>> that in
>>>>>> fedora policy type is targeted, but the devel files do not
>>>>>> live in
>>>>>> /usr/share/selinux/targeted.[0]. Given that, perhaps it is
>>>>>> better to
>>>>>> let the user provide guidance about how to map the policy type
>>>>>> to a
>>>>>> directory?
>>>>>>
>>>>>> Also, I must confess I had forgotten about this call.
>>>>>>
>>>>>> However, a patch with this is trivial, so an alternate
>>>>>> patch
>>>>>> follows. (Not sure this will work for fedora, so caveat emptor)
>>>>>>
>>>>>> manoj
>>>>>> [0]
>>>>>> http://docs.fedoraproject.org/selinux-user-guide/f11/en-US/chap-Security-Enhanced_Linux-Working_with_SELinux.html
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --8<---------------cut here---------------start------------->8---
>>>>>>
>>>>>> If the user installs a policy whose development files do not live
>>>>>> under
>>>>>> /usr/share/selinux/devel/include, sepolgen wqould not work.
>>>>>> Debian, for
>>>>>> instance, installs under:
>>>>>> /usr/share/selinux/{default,mls}/include
>>>>>>
>>>>>> This patch uses selinux_getpolicytype() to determine the policy
>>>>>> type, and
>>>>>> assumes that there is one-on-one correspondence between policytype
>>>>>> and
>>>>>> the directory the development files live in.
>>>>>>
>>>>>> Signed-off-by: Manoj Srivastava<srivasta@debian.org>
>>>>>> ---
>>>>>> src/sepolgen/defaults.py | 4 +++-
>>>>>> src/sepolgen/module.py | 2 +-
>>>>>> 2 files changed, 4 insertions(+), 2 deletions(-)
>>>>>>
>>>>>> diff --git a/src/sepolgen/defaults.py b/src/sepolgen/defaults.py
>>>>>> index 45ce61a..85e5fb0 100644
>>>>>> --- a/src/sepolgen/defaults.py
>>>>>> +++ b/src/sepolgen/defaults.py
>>>>>> @@ -21,6 +21,8 @@
>>>>>> Various default settings, including file and directory locations.
>>>>>> """
>>>>>>
>>>>>> +import selinux
>>>>>> +
>>>>>> def data_dir():
>>>>>> return "/var/lib/sepolgen"
>>>>>>
>>>>>> @@ -31,7 +33,7 @@ def interface_info():
>>>>>> return data_dir() + "/interface_info"
>>>>>>
>>>>>> def refpolicy_devel():
>>>>>> - return "/usr/share/selinux/devel"
>>>>>> + return "/usr/share/selinux/" +
>>>>>> selinux.selinux_getpolicytype()[1]
>>>>>>
>>>>>> def refpolicy_makefile():
>>>>>> return refpolicy_devel() + "/Makefile"
>>>>>> diff --git a/src/sepolgen/module.py b/src/sepolgen/module.py
>>>>>> index edd24c6..355c9b8 100644
>>>>>> --- a/src/sepolgen/module.py
>>>>>> +++ b/src/sepolgen/module.py
>>>>>> @@ -120,7 +120,7 @@ class ModuleCompiler:
>>>>>> self.semodule_package = "/usr/bin/semodule_package"
>>>>>> self.output = output
>>>>>> self.last_output = ""
>>>>>> - self.refpol_makefile = "/usr/share/selinux/devel/Makefile"
>>>>>> + self.refpol_makefile = "/usr/share/selinux/" +
>>>>>> selinux.selinux_getpolicytype()[1] + "/Makefile"
>>>>>> self.make = "/usr/bin/make"
>>>>>>
>>>>>> def o(self, str):
>>>>>>
>>>>>>
>>>>> This will break Fedora/RHEL AFAIK. I don't necessarily like that RH
>>>>> has
>>>>> interface files in /usr/share/selinux/devel rather than
>>>>> /usr/share/selinux/<policy>/devel or similar but we can't break them.
>>>>>
>>>>> Dan, any chance you could change the location of the interface files?
>>>>>
>>>>>
>>>>>
>>>> We could carry a patch although I don't think anyone is shipping
>>>> different interfaces for different policies.
>>>>
>>>>
>>> I'm not willing to break upstream behavior and force you to carry a
>>> patch for something that previously worked.
>>>
>>> Perhaps not for distro shipped policies but for custom policies I know
>>> interfaces are changed and if the developers on those end systems want
>>> to use sepolgen for interface matching they have to over write the
>>> distro shipped interface files.
>>>
>>>> We could add a link in each policy types back to the devel environment.
>>>> Or do /usr/share/selinux/POLICYTYPE/devel/Makefile and on RHEL and
>>>> Fedora systems
>>>> have /usr/share/selinux/POLICYTYPE/devel ->
>>>> /usr/share/selinux/devel/
>>>>
>>>>
>>> wasn't this done in the past? I remember a symlink being there but can't
>>> remember why it was removed (unless I'm misremembering)
>>>
>> It was there in the past, but "devel" was a separate package and in
>> some cases we ended up with a dangling link.
>> devel has since been moved into the selinux-policy package so it would
>> not be a problem any longer.
>>
>
> So you'd need to update the policy package before we pull this in
> upstream. Just let me know when that has been done.
Well it won't be done on RHEL5 since devel is a separate package and even if I wanted to update it, I can't until about 6 months from now, RHEL5.5
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: policycoreutils, sepolgen (sepolgen-ifgen) issues on Debian
2009-09-16 16:44 ` Manoj Srivastava
@ 2009-09-16 20:56 ` Joshua Brindle
2009-09-18 21:56 ` Manoj Srivastava
0 siblings, 1 reply; 18+ messages in thread
From: Joshua Brindle @ 2009-09-16 20:56 UTC (permalink / raw)
To: Manoj Srivastava; +Cc: selinux
Manoj Srivastava wrote:
> On Wed, Sep 16 2009, Joshua Brindle wrote:
>
>> Manoj Srivastava wrote:
>>> On Mon, Aug 17 2009, Christopher J. PeBenito wrote:
>>>
>>>
>>>> On Fri, 2009-08-14 at 11:50 -0500, Manoj Srivastava wrote:
>>>>
>>>>> On Fri, Aug 14 2009, Manoj Srivastava wrote:
>>>>>
>>>>>
>>>>>> I am running into an issue with sepolgen on Debian. Debian ships
>>>>>> more than one version of the refpolicy, a default one, and a
>>>>>> MLS enabled one. So, the include files live in either
>>>>>> /usr/share/selinux/{default,mls}/include
>>>>>>
>>>>>> sepolgen (in src/sepolgen/defaults.py) sets refpolicy_devel() to
>>>>>> a single location -- and thus, only one version of the security policy
>>>>>> may be supported. So, sepolgen-ifgen from policycoreutils can only work
>>>>>> with one policy, which may not be the one installed on the target
>>>>>> machine. Could this be made configurable, somehow? As far as I can
>>>>>> see, sepolgen's python library does not offer any way to set the value.
>>>>>>
>>>>>> It would be nice if the location of the include directory could
>>>>>> be looked for from a PATH like variable setting, to make it easier for
>>>>>> distributions to ship more than one policy, or for end users to
>>>>>> experiment with other policies without have to overwrite the single
>>>>>> default.
>>>>>>
>>>>> Well, here is a kind of proof-of-concept patch (python is not my
>>>>> strong suit), and I have only tested in that it allows the package to
>>>>> compile, and the following code works:
>>>>>
>>>> [...]
>>>>
>>>>> def refpolicy_makefile():
>>>>> - return refpolicy_devel() + "/Makefile"
>>>>> + chooser = PathChoooser("/etc/selinux/sepolgen.conf")
>>>>> + return chooser("Makefile")
>>>>>
>>>>> def headers():
>>>>> - return refpolicy_devel() + "/include"
>>>>> -
>>>>> + chooser = PathChoooser("/etc/selinux/sepolgen.conf")
>>>>> + return chooser("include")
>>>>> +
>>>>>
>>>> Why are you making another config file rather than just get the policy
>>>> name from /etc/selinux/config via selinux_getpolicytype()?
>>>>
>>> This will work well for Debian, since the development files are
>>> installed under "/usr/share/selinux/" in a subdirectory named after the
>>> policy. I was not sure that this convention was followed in other
>>> distributions, though. While I am not certain, google implies that in
>>> fedora policy type is targeted, but the devel files do not live in
>>> /usr/share/selinux/targeted.[0]. Given that, perhaps it is better to
>>> let the user provide guidance about how to map the policy type to a
>>> directory?
>>>
>>> Also, I must confess I had forgotten about this call.
>>>
>>> However, a patch with this is trivial, so an alternate patch
>>> follows. (Not sure this will work for fedora, so caveat emptor)
>>>
>>> manoj
>>> [0] http://docs.fedoraproject.org/selinux-user-guide/f11/en-US/chap-Security-Enhanced_Linux-Working_with_SELinux.html
>>>
>>> --8<---------------cut here---------------start------------->8---
>>>
>>> If the user installs a policy whose development files do not live under
>>> /usr/share/selinux/devel/include, sepolgen wqould not work. Debian, for
>>> instance, installs under:
>>> /usr/share/selinux/{default,mls}/include
>>>
>>> This patch uses selinux_getpolicytype() to determine the policy type, and
>>> assumes that there is one-on-one correspondence between policytype and
>>> the directory the development files live in.
>>>
>>> Signed-off-by: Manoj Srivastava<srivasta@debian.org>
>>> ---
>>> src/sepolgen/defaults.py | 4 +++-
>>> src/sepolgen/module.py | 2 +-
>>> 2 files changed, 4 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/src/sepolgen/defaults.py b/src/sepolgen/defaults.py
>>> index 45ce61a..85e5fb0 100644
>>> --- a/src/sepolgen/defaults.py
>>> +++ b/src/sepolgen/defaults.py
>>> @@ -21,6 +21,8 @@
>>> Various default settings, including file and directory locations.
>>> """
>>>
>>> +import selinux
>>> +
>>> def data_dir():
>>> return "/var/lib/sepolgen"
>>>
>>> @@ -31,7 +33,7 @@ def interface_info():
>>> return data_dir() + "/interface_info"
>>>
>>> def refpolicy_devel():
>>> - return "/usr/share/selinux/devel"
>>> + return "/usr/share/selinux/" + selinux.selinux_getpolicytype()[1]
>>>
>>> def refpolicy_makefile():
>>> return refpolicy_devel() + "/Makefile"
>>> diff --git a/src/sepolgen/module.py b/src/sepolgen/module.py
>>> index edd24c6..355c9b8 100644
>>> --- a/src/sepolgen/module.py
>>> +++ b/src/sepolgen/module.py
>>> @@ -120,7 +120,7 @@ class ModuleCompiler:
>>> self.semodule_package = "/usr/bin/semodule_package"
>>> self.output = output
>>> self.last_output = ""
>>> - self.refpol_makefile = "/usr/share/selinux/devel/Makefile"
>>> + self.refpol_makefile = "/usr/share/selinux/" + selinux.selinux_getpolicytype()[1] + "/Makefile"
>>> self.make = "/usr/bin/make"
>>>
>>> def o(self, str):
>>>
>> This will break Fedora/RHEL AFAIK. I don't necessarily like that RH
>> has interface files in /usr/share/selinux/devel rather than
>> /usr/share/selinux/<policy>/devel or similar but we can't break them.
>
> Yes, I know it breaks RHEL, which is why I would prefer the
> other patch I sent in first (re-attached below); this uses a
> configuration file instead.
>
>> Dan, any chance you could change the location of the interface files?
>
> Or that would work.
>
> manoj
>
> --8<---------------cut here---------------start------------->8---
> import defaults
>
> # The following looks for /etc/selinux/sepolgen.conf that
> # does not exist
> print defaults.refpolicy_makefile()
> print defaults.headers()
>
> # Create a configuration file
> testfd = open("/tmp/pathchooser.conf", "w")
> print>>testfd, "# This is a comment"
> print>>testfd, " # An empty line will follow"
> print>>testfd, ""
> print>>testfd, "SELINUX_DEVEL_PATH = /:/etc:/usr/share/selinux/default:/usr/share/selinux/mls:/usr/share/selinux/devel"
> print>>testfd, "FOO= bar:baz"
> testfd.close()
>
> # Specify a non default config file, that has /etc in it
> chooser = defaults.PathChoooser("/tmp/pathchooser.conf")
> print chooser("passwd")
> --8<---------------cut here---------------end--------------->8---
> manoj
>
> Signed-off-by: Enrico Zini<enrico@debian.org>
> Signed-off-by: Manoj Srivastava<srivasta@debian.org>
> ---
> src/sepolgen/defaults.py | 47 +++++++++++++++++++++++++++++++++++++++------
> 1 files changed, 40 insertions(+), 7 deletions(-)
>
> diff --git a/src/sepolgen/defaults.py b/src/sepolgen/defaults.py
> index 45ce61a..906c058 100644
> --- a/src/sepolgen/defaults.py
> +++ b/src/sepolgen/defaults.py
> @@ -1,6 +1,6 @@
> # Authors: Karl MacMillan<kmacmillan@mentalrootkit.com>
> #
> -# Copyright (C) 2006 Red Hat
> +# Copyright (C) 2006 Red Hat
> # see file 'COPYING' for use and warranty information
> #
> # This program is free software; you can redistribute it and/or
> @@ -17,6 +17,40 @@
> # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
> #
>
> +import os
> +import re
> +
> +# Select the correct location for the development files based on a
> +# path variable (optionally read from a configuration file)
> +class PathChoooser(object):
> + def __init__(self, pathname):
> + self.config = dict()
> + if not os.path.exists(pathname):
> + self.config_pathname = "(defaults)"
> + self.config["SELINUX_DEVEL_PATH"] = "/usr/share/selinux/default:/usr/share/selinux/mls:/usr/share/selinux/devel"
> + return
> + self.config_pathname = pathname
> + ignore = re.compile(r"^\s*(?:#.+)?$")
> + consider = re.compile(r"^\s*(\w+)\s*=\s*(.+?)\s*$")
> + for lineno, line in enumerate(open(pathname)):
> + if ignore.match(line): continue
> + mo = consider.match(line)
> + if not mo:
> + raise ValueError, "%s:%d: line is not in key = value format" % (pathname, lineno+1)
> + self.config[mo.group(1)] = mo.group(2)
> +
> + # We're only exporting one useful function, so why not be a function
> + def __call__(self, testfilename, pathset="SELINUX_DEVEL_PATH"):
> + paths = self.config.get(pathset, None)
> + if paths is None:
> + raise ValueError, "%s was not in %s" % (pathset, self.config_pathname)
> + paths = paths.split(":")
> + for p in paths:
> + target = os.path.join(p, testfilename)
> + if os.path.exists(target): return target
> + return os.path.join(paths[0], testfilename)
> +
> +
> """
> Various default settings, including file and directory locations.
> """
> @@ -30,12 +64,11 @@ def perm_map():
> def interface_info():
> return data_dir() + "/interface_info"
>
> -def refpolicy_devel():
> - return "/usr/share/selinux/devel"
> -
> def refpolicy_makefile():
> - return refpolicy_devel() + "/Makefile"
> + chooser = PathChoooser("/etc/selinux/sepolgen.conf")
> + return chooser("Makefile")
>
> def headers():
> - return refpolicy_devel() + "/include"
> -
> + chooser = PathChoooser("/etc/selinux/sepolgen.conf")
> + return chooser("include")
> +
I'm not a fan of fixing things by making them configurable. This really
should just use a standard location of /usr/share/selinux/<type>/devel.
Would you carry the previous patch that changed the path until RHEL and
Fedora get updated then we can merge it upstream?
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: policycoreutils, sepolgen (sepolgen-ifgen) issues on Debian
2009-09-16 20:56 ` Joshua Brindle
@ 2009-09-18 21:56 ` Manoj Srivastava
0 siblings, 0 replies; 18+ messages in thread
From: Manoj Srivastava @ 2009-09-18 21:56 UTC (permalink / raw)
To: selinux
On Wed, Sep 16 2009, Joshua Brindle wrote:
>
> I'm not a fan of fixing things by making them configurable. This
> really should just use a standard location of
> /usr/share/selinux/<type>/devel.
> Would you carry the previous patch that changed the path until RHEL
> and Fedora get updated then we can merge it upstream?
Sure, that would not be a problem.
manoj
--
Manoj Srivastava <srivasta@acm.org> <http://www.golden-gryphon.com/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: policycoreutils, sepolgen (sepolgen-ifgen) issues on Debian
2009-09-16 17:10 ` Daniel J Walsh
2009-09-16 17:14 ` Joshua Brindle
@ 2010-05-13 19:11 ` Stephen Smalley
2010-05-13 19:15 ` Daniel J Walsh
1 sibling, 1 reply; 18+ messages in thread
From: Stephen Smalley @ 2010-05-13 19:11 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: Joshua Brindle, selinux
On Wed, 2009-09-16 at 13:10 -0400, Daniel J Walsh wrote:
> On 09/16/2009 11:01 AM, Joshua Brindle wrote:
> >
> >
> > Manoj Srivastava wrote:
> >> On Mon, Aug 17 2009, Christopher J. PeBenito wrote:
> >>
> >>
> >>> On Fri, 2009-08-14 at 11:50 -0500, Manoj Srivastava wrote:
> >>>
> >>>> On Fri, Aug 14 2009, Manoj Srivastava wrote:
> >>>>
> >>>>
> >>>>> I am running into an issue with sepolgen on Debian. Debian
> >>>>> ships
> >>>>> more than one version of the refpolicy, a default one, and a
> >>>>> MLS enabled one. So, the include files live in either
> >>>>> /usr/share/selinux/{default,mls}/include
> >>>>>
> >>>>> sepolgen (in src/sepolgen/defaults.py) sets
> >>>>> refpolicy_devel() to
> >>>>> a single location -- and thus, only one version of the security
> >>>>> policy
> >>>>> may be supported. So, sepolgen-ifgen from policycoreutils can
> >>>>> only work
> >>>>> with one policy, which may not be the one installed on the target
> >>>>> machine. Could this be made configurable, somehow? As far as I can
> >>>>> see, sepolgen's python library does not offer any way to set the
> >>>>> value.
> >>>>>
> >>>>> It would be nice if the location of the include directory
> >>>>> could
> >>>>> be looked for from a PATH like variable setting, to make it
> >>>>> easier for
> >>>>> distributions to ship more than one policy, or for end users to
> >>>>> experiment with other policies without have to overwrite the single
> >>>>> default.
> >>>>>
> >>>> Well, here is a kind of proof-of-concept patch (python is
> >>>> not my
> >>>> strong suit), and I have only tested in that it allows the package to
> >>>> compile, and the following code works:
> >>>>
> >>> [...]
> >>>
> >>>> def refpolicy_makefile():
> >>>> - return refpolicy_devel() + "/Makefile"
> >>>> + chooser = PathChoooser("/etc/selinux/sepolgen.conf")
> >>>> + return chooser("Makefile")
> >>>>
> >>>> def headers():
> >>>> - return refpolicy_devel() + "/include"
> >>>> -
> >>>> + chooser = PathChoooser("/etc/selinux/sepolgen.conf")
> >>>> + return chooser("include")
> >>>> +
> >>>>
> >>> Why are you making another config file rather than just get the policy
> >>> name from /etc/selinux/config via selinux_getpolicytype()?
> >>>
> >>
> >> This will work well for Debian, since the development files are
> >> installed under "/usr/share/selinux/" in a subdirectory named after the
> >> policy. I was not sure that this convention was followed in other
> >> distributions, though. While I am not certain, google implies that in
> >> fedora policy type is targeted, but the devel files do not live in
> >> /usr/share/selinux/targeted.[0]. Given that, perhaps it is better to
> >> let the user provide guidance about how to map the policy type to a
> >> directory?
> >>
> >> Also, I must confess I had forgotten about this call.
> >>
> >> However, a patch with this is trivial, so an alternate patch
> >> follows. (Not sure this will work for fedora, so caveat emptor)
> >>
> >> manoj
> >> [0]
> >> http://docs.fedoraproject.org/selinux-user-guide/f11/en-US/chap-Security-Enhanced_Linux-Working_with_SELinux.html
> >>
> >>
> >> --8<---------------cut here---------------start------------->8---
> >>
> >> If the user installs a policy whose development files do not live under
> >> /usr/share/selinux/devel/include, sepolgen wqould not work. Debian, for
> >> instance, installs under:
> >> /usr/share/selinux/{default,mls}/include
> >>
> >> This patch uses selinux_getpolicytype() to determine the policy type, and
> >> assumes that there is one-on-one correspondence between policytype and
> >> the directory the development files live in.
> >>
> >> Signed-off-by: Manoj Srivastava<srivasta@debian.org>
> >> ---
> >> src/sepolgen/defaults.py | 4 +++-
> >> src/sepolgen/module.py | 2 +-
> >> 2 files changed, 4 insertions(+), 2 deletions(-)
> >>
> >> diff --git a/src/sepolgen/defaults.py b/src/sepolgen/defaults.py
> >> index 45ce61a..85e5fb0 100644
> >> --- a/src/sepolgen/defaults.py
> >> +++ b/src/sepolgen/defaults.py
> >> @@ -21,6 +21,8 @@
> >> Various default settings, including file and directory locations.
> >> """
> >>
> >> +import selinux
> >> +
> >> def data_dir():
> >> return "/var/lib/sepolgen"
> >>
> >> @@ -31,7 +33,7 @@ def interface_info():
> >> return data_dir() + "/interface_info"
> >>
> >> def refpolicy_devel():
> >> - return "/usr/share/selinux/devel"
> >> + return "/usr/share/selinux/" + selinux.selinux_getpolicytype()[1]
> >>
> >> def refpolicy_makefile():
> >> return refpolicy_devel() + "/Makefile"
> >> diff --git a/src/sepolgen/module.py b/src/sepolgen/module.py
> >> index edd24c6..355c9b8 100644
> >> --- a/src/sepolgen/module.py
> >> +++ b/src/sepolgen/module.py
> >> @@ -120,7 +120,7 @@ class ModuleCompiler:
> >> self.semodule_package = "/usr/bin/semodule_package"
> >> self.output = output
> >> self.last_output = ""
> >> - self.refpol_makefile = "/usr/share/selinux/devel/Makefile"
> >> + self.refpol_makefile = "/usr/share/selinux/" +
> >> selinux.selinux_getpolicytype()[1] + "/Makefile"
> >> self.make = "/usr/bin/make"
> >>
> >> def o(self, str):
> >>
> >
> > This will break Fedora/RHEL AFAIK. I don't necessarily like that RH has
> > interface files in /usr/share/selinux/devel rather than
> > /usr/share/selinux/<policy>/devel or similar but we can't break them.
> >
> > Dan, any chance you could change the location of the interface files?
> >
> >
> We could carry a patch although I don't think anyone is shipping different interfaces for different policies.
>
> We could add a link in each policy types back to the devel environment.
> Or do /usr/share/selinux/POLICYTYPE/devel/Makefile and on RHEL and Fedora systems
> have /usr/share/selinux/POLICYTYPE/devel -> /usr/share/selinux/devel/
I don't think this change ever happened in Fedora (and thus not in
RHEL-6).
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: policycoreutils, sepolgen (sepolgen-ifgen) issues on Debian
2010-05-13 19:11 ` Stephen Smalley
@ 2010-05-13 19:15 ` Daniel J Walsh
2010-05-13 19:28 ` Stephen Smalley
0 siblings, 1 reply; 18+ messages in thread
From: Daniel J Walsh @ 2010-05-13 19:15 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Joshua Brindle, selinux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 05/13/2010 03:11 PM, Stephen Smalley wrote:
> On Wed, 2009-09-16 at 13:10 -0400, Daniel J Walsh wrote:
>> On 09/16/2009 11:01 AM, Joshua Brindle wrote:
>>>
>>>
>>> Manoj Srivastava wrote:
>>>> On Mon, Aug 17 2009, Christopher J. PeBenito wrote:
>>>>
>>>>
>>>>> On Fri, 2009-08-14 at 11:50 -0500, Manoj Srivastava wrote:
>>>>>
>>>>>> On Fri, Aug 14 2009, Manoj Srivastava wrote:
>>>>>>
>>>>>>
>>>>>>> I am running into an issue with sepolgen on Debian. Debian
>>>>>>> ships
>>>>>>> more than one version of the refpolicy, a default one, and a
>>>>>>> MLS enabled one. So, the include files live in either
>>>>>>> /usr/share/selinux/{default,mls}/include
>>>>>>>
>>>>>>> sepolgen (in src/sepolgen/defaults.py) sets
>>>>>>> refpolicy_devel() to
>>>>>>> a single location -- and thus, only one version of the security
>>>>>>> policy
>>>>>>> may be supported. So, sepolgen-ifgen from policycoreutils can
>>>>>>> only work
>>>>>>> with one policy, which may not be the one installed on the target
>>>>>>> machine. Could this be made configurable, somehow? As far as I can
>>>>>>> see, sepolgen's python library does not offer any way to set the
>>>>>>> value.
>>>>>>>
>>>>>>> It would be nice if the location of the include directory
>>>>>>> could
>>>>>>> be looked for from a PATH like variable setting, to make it
>>>>>>> easier for
>>>>>>> distributions to ship more than one policy, or for end users to
>>>>>>> experiment with other policies without have to overwrite the single
>>>>>>> default.
>>>>>>>
>>>>>> Well, here is a kind of proof-of-concept patch (python is
>>>>>> not my
>>>>>> strong suit), and I have only tested in that it allows the package to
>>>>>> compile, and the following code works:
>>>>>>
>>>>> [...]
>>>>>
>>>>>> def refpolicy_makefile():
>>>>>> - return refpolicy_devel() + "/Makefile"
>>>>>> + chooser = PathChoooser("/etc/selinux/sepolgen.conf")
>>>>>> + return chooser("Makefile")
>>>>>>
>>>>>> def headers():
>>>>>> - return refpolicy_devel() + "/include"
>>>>>> -
>>>>>> + chooser = PathChoooser("/etc/selinux/sepolgen.conf")
>>>>>> + return chooser("include")
>>>>>> +
>>>>>>
>>>>> Why are you making another config file rather than just get the policy
>>>>> name from /etc/selinux/config via selinux_getpolicytype()?
>>>>>
>>>>
>>>> This will work well for Debian, since the development files are
>>>> installed under "/usr/share/selinux/" in a subdirectory named after the
>>>> policy. I was not sure that this convention was followed in other
>>>> distributions, though. While I am not certain, google implies that in
>>>> fedora policy type is targeted, but the devel files do not live in
>>>> /usr/share/selinux/targeted.[0]. Given that, perhaps it is better to
>>>> let the user provide guidance about how to map the policy type to a
>>>> directory?
>>>>
>>>> Also, I must confess I had forgotten about this call.
>>>>
>>>> However, a patch with this is trivial, so an alternate patch
>>>> follows. (Not sure this will work for fedora, so caveat emptor)
>>>>
>>>> manoj
>>>> [0]
>>>> http://docs.fedoraproject.org/selinux-user-guide/f11/en-US/chap-Security-Enhanced_Linux-Working_with_SELinux.html
>>>>
>>>>
>>>> --8<---------------cut here---------------start------------->8---
>>>>
>>>> If the user installs a policy whose development files do not live under
>>>> /usr/share/selinux/devel/include, sepolgen wqould not work. Debian, for
>>>> instance, installs under:
>>>> /usr/share/selinux/{default,mls}/include
>>>>
>>>> This patch uses selinux_getpolicytype() to determine the policy type, and
>>>> assumes that there is one-on-one correspondence between policytype and
>>>> the directory the development files live in.
>>>>
>>>> Signed-off-by: Manoj Srivastava<srivasta@debian.org>
>>>> ---
>>>> src/sepolgen/defaults.py | 4 +++-
>>>> src/sepolgen/module.py | 2 +-
>>>> 2 files changed, 4 insertions(+), 2 deletions(-)
>>>>
>>>> diff --git a/src/sepolgen/defaults.py b/src/sepolgen/defaults.py
>>>> index 45ce61a..85e5fb0 100644
>>>> --- a/src/sepolgen/defaults.py
>>>> +++ b/src/sepolgen/defaults.py
>>>> @@ -21,6 +21,8 @@
>>>> Various default settings, including file and directory locations.
>>>> """
>>>>
>>>> +import selinux
>>>> +
>>>> def data_dir():
>>>> return "/var/lib/sepolgen"
>>>>
>>>> @@ -31,7 +33,7 @@ def interface_info():
>>>> return data_dir() + "/interface_info"
>>>>
>>>> def refpolicy_devel():
>>>> - return "/usr/share/selinux/devel"
>>>> + return "/usr/share/selinux/" + selinux.selinux_getpolicytype()[1]
>>>>
>>>> def refpolicy_makefile():
>>>> return refpolicy_devel() + "/Makefile"
>>>> diff --git a/src/sepolgen/module.py b/src/sepolgen/module.py
>>>> index edd24c6..355c9b8 100644
>>>> --- a/src/sepolgen/module.py
>>>> +++ b/src/sepolgen/module.py
>>>> @@ -120,7 +120,7 @@ class ModuleCompiler:
>>>> self.semodule_package = "/usr/bin/semodule_package"
>>>> self.output = output
>>>> self.last_output = ""
>>>> - self.refpol_makefile = "/usr/share/selinux/devel/Makefile"
>>>> + self.refpol_makefile = "/usr/share/selinux/" +
>>>> selinux.selinux_getpolicytype()[1] + "/Makefile"
>>>> self.make = "/usr/bin/make"
>>>>
>>>> def o(self, str):
>>>>
>>>
>>> This will break Fedora/RHEL AFAIK. I don't necessarily like that RH has
>>> interface files in /usr/share/selinux/devel rather than
>>> /usr/share/selinux/<policy>/devel or similar but we can't break them.
>>>
>>> Dan, any chance you could change the location of the interface files?
>>>
>>>
>> We could carry a patch although I don't think anyone is shipping different interfaces for different policies.
>>
>> We could add a link in each policy types back to the devel environment.
>> Or do /usr/share/selinux/POLICYTYPE/devel/Makefile and on RHEL and Fedora systems
>> have /usr/share/selinux/POLICYTYPE/devel -> /usr/share/selinux/devel/
>
> I don't think this change ever happened in Fedora (and thus not in
> RHEL-6).
>
If you make the change, I will just symlink it back to the base package.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkvsT9YACgkQrlYvE4MpobNsJwCfW6Zamdh20FVaL84rCpLfUeUY
aBcAoNJlcUvKoCsGRvTo140g/s0hhcMM
=7OGi
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: policycoreutils, sepolgen (sepolgen-ifgen) issues on Debian
2010-05-13 19:15 ` Daniel J Walsh
@ 2010-05-13 19:28 ` Stephen Smalley
2010-05-13 19:53 ` Daniel J Walsh
0 siblings, 1 reply; 18+ messages in thread
From: Stephen Smalley @ 2010-05-13 19:28 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: Joshua Brindle, selinux
On Thu, 2010-05-13 at 15:15 -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 05/13/2010 03:11 PM, Stephen Smalley wrote:
> > On Wed, 2009-09-16 at 13:10 -0400, Daniel J Walsh wrote:
> >> On 09/16/2009 11:01 AM, Joshua Brindle wrote:
> >>>
> >>>
> >>> Manoj Srivastava wrote:
> >>>> On Mon, Aug 17 2009, Christopher J. PeBenito wrote:
> >>>>
> >>>>
> >>>>> On Fri, 2009-08-14 at 11:50 -0500, Manoj Srivastava wrote:
> >>>>>
> >>>>>> On Fri, Aug 14 2009, Manoj Srivastava wrote:
> >>>>>>
> >>>>>>
> >>>>>>> I am running into an issue with sepolgen on Debian. Debian
> >>>>>>> ships
> >>>>>>> more than one version of the refpolicy, a default one, and a
> >>>>>>> MLS enabled one. So, the include files live in either
> >>>>>>> /usr/share/selinux/{default,mls}/include
> >>>>>>>
> >>>>>>> sepolgen (in src/sepolgen/defaults.py) sets
> >>>>>>> refpolicy_devel() to
> >>>>>>> a single location -- and thus, only one version of the security
> >>>>>>> policy
> >>>>>>> may be supported. So, sepolgen-ifgen from policycoreutils can
> >>>>>>> only work
> >>>>>>> with one policy, which may not be the one installed on the target
> >>>>>>> machine. Could this be made configurable, somehow? As far as I can
> >>>>>>> see, sepolgen's python library does not offer any way to set the
> >>>>>>> value.
> >>>>>>>
> >>>>>>> It would be nice if the location of the include directory
> >>>>>>> could
> >>>>>>> be looked for from a PATH like variable setting, to make it
> >>>>>>> easier for
> >>>>>>> distributions to ship more than one policy, or for end users to
> >>>>>>> experiment with other policies without have to overwrite the single
> >>>>>>> default.
> >>>>>>>
> >>>>>> Well, here is a kind of proof-of-concept patch (python is
> >>>>>> not my
> >>>>>> strong suit), and I have only tested in that it allows the package to
> >>>>>> compile, and the following code works:
> >>>>>>
> >>>>> [...]
> >>>>>
> >>>>>> def refpolicy_makefile():
> >>>>>> - return refpolicy_devel() + "/Makefile"
> >>>>>> + chooser = PathChoooser("/etc/selinux/sepolgen.conf")
> >>>>>> + return chooser("Makefile")
> >>>>>>
> >>>>>> def headers():
> >>>>>> - return refpolicy_devel() + "/include"
> >>>>>> -
> >>>>>> + chooser = PathChoooser("/etc/selinux/sepolgen.conf")
> >>>>>> + return chooser("include")
> >>>>>> +
> >>>>>>
> >>>>> Why are you making another config file rather than just get the policy
> >>>>> name from /etc/selinux/config via selinux_getpolicytype()?
> >>>>>
> >>>>
> >>>> This will work well for Debian, since the development files are
> >>>> installed under "/usr/share/selinux/" in a subdirectory named after the
> >>>> policy. I was not sure that this convention was followed in other
> >>>> distributions, though. While I am not certain, google implies that in
> >>>> fedora policy type is targeted, but the devel files do not live in
> >>>> /usr/share/selinux/targeted.[0]. Given that, perhaps it is better to
> >>>> let the user provide guidance about how to map the policy type to a
> >>>> directory?
> >>>>
> >>>> Also, I must confess I had forgotten about this call.
> >>>>
> >>>> However, a patch with this is trivial, so an alternate patch
> >>>> follows. (Not sure this will work for fedora, so caveat emptor)
> >>>>
> >>>> manoj
> >>>> [0]
> >>>> http://docs.fedoraproject.org/selinux-user-guide/f11/en-US/chap-Security-Enhanced_Linux-Working_with_SELinux.html
> >>>>
> >>>>
> >>>> --8<---------------cut here---------------start------------->8---
> >>>>
> >>>> If the user installs a policy whose development files do not live under
> >>>> /usr/share/selinux/devel/include, sepolgen wqould not work. Debian, for
> >>>> instance, installs under:
> >>>> /usr/share/selinux/{default,mls}/include
> >>>>
> >>>> This patch uses selinux_getpolicytype() to determine the policy type, and
> >>>> assumes that there is one-on-one correspondence between policytype and
> >>>> the directory the development files live in.
> >>>>
> >>>> Signed-off-by: Manoj Srivastava<srivasta@debian.org>
> >>>> ---
> >>>> src/sepolgen/defaults.py | 4 +++-
> >>>> src/sepolgen/module.py | 2 +-
> >>>> 2 files changed, 4 insertions(+), 2 deletions(-)
> >>>>
> >>>> diff --git a/src/sepolgen/defaults.py b/src/sepolgen/defaults.py
> >>>> index 45ce61a..85e5fb0 100644
> >>>> --- a/src/sepolgen/defaults.py
> >>>> +++ b/src/sepolgen/defaults.py
> >>>> @@ -21,6 +21,8 @@
> >>>> Various default settings, including file and directory locations.
> >>>> """
> >>>>
> >>>> +import selinux
> >>>> +
> >>>> def data_dir():
> >>>> return "/var/lib/sepolgen"
> >>>>
> >>>> @@ -31,7 +33,7 @@ def interface_info():
> >>>> return data_dir() + "/interface_info"
> >>>>
> >>>> def refpolicy_devel():
> >>>> - return "/usr/share/selinux/devel"
> >>>> + return "/usr/share/selinux/" + selinux.selinux_getpolicytype()[1]
> >>>>
> >>>> def refpolicy_makefile():
> >>>> return refpolicy_devel() + "/Makefile"
> >>>> diff --git a/src/sepolgen/module.py b/src/sepolgen/module.py
> >>>> index edd24c6..355c9b8 100644
> >>>> --- a/src/sepolgen/module.py
> >>>> +++ b/src/sepolgen/module.py
> >>>> @@ -120,7 +120,7 @@ class ModuleCompiler:
> >>>> self.semodule_package = "/usr/bin/semodule_package"
> >>>> self.output = output
> >>>> self.last_output = ""
> >>>> - self.refpol_makefile = "/usr/share/selinux/devel/Makefile"
> >>>> + self.refpol_makefile = "/usr/share/selinux/" +
> >>>> selinux.selinux_getpolicytype()[1] + "/Makefile"
> >>>> self.make = "/usr/bin/make"
> >>>>
> >>>> def o(self, str):
> >>>>
> >>>
> >>> This will break Fedora/RHEL AFAIK. I don't necessarily like that RH has
> >>> interface files in /usr/share/selinux/devel rather than
> >>> /usr/share/selinux/<policy>/devel or similar but we can't break them.
> >>>
> >>> Dan, any chance you could change the location of the interface files?
> >>>
> >>>
> >> We could carry a patch although I don't think anyone is shipping different interfaces for different policies.
> >>
> >> We could add a link in each policy types back to the devel environment.
> >> Or do /usr/share/selinux/POLICYTYPE/devel/Makefile and on RHEL and Fedora systems
> >> have /usr/share/selinux/POLICYTYPE/devel -> /usr/share/selinux/devel/
> >
> > I don't think this change ever happened in Fedora (and thus not in
> > RHEL-6).
> >
> If you make the change, I will just symlink it back to the base package.
I believe they were waiting on you to update Fedora and RHEL (e.g. set
up the symlinks if that is all that is required) so that they could make
the change upstream without risk of breaking anything.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: policycoreutils, sepolgen (sepolgen-ifgen) issues on Debian
2010-05-13 19:28 ` Stephen Smalley
@ 2010-05-13 19:53 ` Daniel J Walsh
0 siblings, 0 replies; 18+ messages in thread
From: Daniel J Walsh @ 2010-05-13 19:53 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Joshua Brindle, selinux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I guess I would say, make the change and then I will update. This will
go into F14.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkvsWKUACgkQrlYvE4MpobMrfwCgxDVndOJ5eTPbH1GQdTILU1bZ
YY0An0ltNye33m8ImQSZH+D5bsGZ2JXB
=wnha
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 18+ messages in thread
end of thread, other threads:[~2010-05-13 19:53 UTC | newest]
Thread overview: 18+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2009-08-14 14:59 policycoreutils, sepolgen (sepolgen-ifgen) issues on Debian Manoj Srivastava
2009-08-14 16:50 ` Manoj Srivastava
2009-08-16 14:52 ` Manoj Srivastava
2009-08-17 12:36 ` Christopher J. PeBenito
2009-08-17 15:40 ` Manoj Srivastava
2009-09-16 15:01 ` Joshua Brindle
2009-09-16 16:44 ` Manoj Srivastava
2009-09-16 20:56 ` Joshua Brindle
2009-09-18 21:56 ` Manoj Srivastava
2009-09-16 17:10 ` Daniel J Walsh
2009-09-16 17:14 ` Joshua Brindle
2009-09-16 17:29 ` Daniel J Walsh
2009-09-16 19:52 ` Joshua Brindle
2009-09-16 20:23 ` Daniel J Walsh
2010-05-13 19:11 ` Stephen Smalley
2010-05-13 19:15 ` Daniel J Walsh
2010-05-13 19:28 ` Stephen Smalley
2010-05-13 19:53 ` Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.