Re: [RFC] Source Policy, CIL, and High Level Languages

From: Stephen Smalley <sds@tycho.nsa.gov>
To: Steve Lawrence <slawrence@tresys.com>,
	Dominick Grift <dominick.grift@gmail.com>
Cc: SELinux List <selinux@tycho.nsa.gov>
Subject: Re: [RFC] Source Policy, CIL, and High Level Languages
Date: Fri, 18 Jul 2014 14:10:13 -0400	[thread overview]
Message-ID: <53C96305.60109@tycho.nsa.gov> (raw)
In-Reply-To: <53C944AC.4080605@tresys.com>

On 07/18/2014 12:00 PM, Steve Lawrence wrote:
> On 07/10/2014 02:51 AM, Dominick Grift wrote:
>> On Wed, 2014-07-09 at 15:21 -0400, Steve Lawrence wrote:
>>> In January, we sent an RFC [1] to update userspace to integrate CIL
>>> [2] and source policy. And in April, we sent an updated RFC [3] which
>>> added support for high level languages and a tool to convert policy
>>> package (pp) files to CIL. After getting some good feedback, we have
>>> made some more changes, mostly to maintain ABI compatibility. The
>>> major changes made since the last patchset are:
>>
>> <snip>
>>
>>
>> After associating user john with staff_u, johns home directory is
>> properly labeled (staff_u associated with /home/john). However, what is
>> strange here is that i cannot see staff_u home dir context specs
>> in /var/lib/selinux/targeted/active/modules/file_contexts.homedirs
>>  
>> Am i looking in the wrong place? How does SELinux know that staff_u
>> needs to be associated with /home/john
>>
> 
> In the current upatream, file_contexts.homedirs is autogenerated and
> created in /etc/selinux/targeted/modules/active/ before it is copied to
> /etc/selinux/targeted/contexts/files. This file is not removed from the
> store, so it actually exists in two places.
> 
> However, with the new source policy work, file_contexts.homedirs is
> generated in a temporary sandbox (not the policy store). The contents of
> the sandbox are copied to /etc/selinux, and then deleted at the end of
> the transaction. So the new source policy infrastructure no longer
> stores intermediate/final build files in the policy store.
> 
> However, the migration script copies all the files from the old store to
> the new store, even including autogenerated files that the new source
> policy infrastructure will never look at or touch. This is just a bug in
> the migration script. We've updated the migration script to only migrate
> the files that actually need to be migrated (mostly *.local files). This
> has been rebased/pushed to github #integration branch.

If I run semanage_migrate_etc_to_var.py -n on a clean (no
/var/lib/selinux at all) system, the /var/lib/selinux/targeted/active
directory contains a homedir_template and a netfilter_contexts file in
addition to the modules (and commit_num).  The first file is
automatically extracted from all of the file contexts during build and
the second is unused these days.  If I then run semodule -B (or omit the
-n option on migration), I further have file_contexts.template and
users_extra files under active, both of which are also generated.  I can
delete all four files and regenerate all but netfilter_contexts via
semodule -B.