From mboxrd@z Thu Jan 1 00:00:00 1970 Subject: Re: [PATCH v2 0/3] Add support for extracting modules To: Sven Vermeulen , SELinux References: <1438871414-62292-1-git-send-email-ykhodorkovskiy@tresys.com> From: Stephen Smalley Message-ID: <55C4B26C.90508@tycho.nsa.gov> Date: Fri, 7 Aug 2015 09:28:12 -0400 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252 List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: On 08/07/2015 04:09 AM, Sven Vermeulen wrote: > Will you provide a patch to the reference policy to allow semanage_t > to write into all kinds of directories? > > I personally see little value in this patch, as everything is readily > accessible on the file system. Users who want to extract policies with > semodule will now encounter policy issues where semanage_t is not > allowed to write into the current working directory (depending where > the user is at): Directly accessing files under /var/lib/selinux is not very user-friendly or maintainable, as how the files are arranged and stored is an implementation detail of libsemanage. The change allows users a new workflow in which they can readily extract a module (whether locally created or distro-provided), modify it, and then re-install it (and automatically have their modified version installed at higher priority, and thereby not clobber the distro-provided one or be clobbered by subsequent policy updates. semanage is already given userdom_read_user_home_content_files() and userdom_read_user_tmp_files() in order to support semodule -i from either of those locations, so broadening that to userdom_manage doesn't seem too onerous. Also, the situation doesn't seem terribly different from the already existing semanage export facility, which takes a -f output_file option. > > allow semanage_t tmp_t : dir { ioctl read write getattr lock > add_name remove_name search open } ; > allow semanage_t selinux_config_t : dir { ioctl read write getattr > lock add_name remove_name search open } ; > allow semanage_t default_context_t : dir { ioctl read write getattr > lock add_name remove_name search open } ; > allow semanage_t file_context_t : dir { ioctl read write getattr > lock add_name remove_name search open } ; > allow semanage_t semanage_store_t : dir { ioctl read write create > getattr setattr lock unlink link rename add_name remove_name reparent > search rmdir open } ; > allow semanage_t semanage_tmp_t : dir { ioctl read write create > getattr setattr lock unlink link rename add_name remove_name reparent > search rmdir open } ; > allow semanage_t policy_config_t : dir { ioctl read write getattr > lock add_name remove_name search open } ; > > Wkr, > Sven Vermeulen > > On Thu, Aug 6, 2015 at 4:30 PM, Yuli Khodorkovskiy > wrote: >> This patchset adds support for extracting modules from the module store as hll >> or cil to the current working directory. This also adds a function to the >> libsemanage API to extract modules and fixes a memory leak discovered while >> implementing this functionality. >> >> Changes from v1: >> - Add fallback behavior if a module does not exist at the default priority when >> extracting with semodule. >> >> Yuli Khodorkovskiy (3): >> libsemanage: Add ability to extract modules >> libsemanage: Fix null pointer dereference in >> semanage_module_key_destroy >> policycoreutils/semodule: update semodule to allow extracting modules >> >> libsemanage/include/semanage/modules.h | 17 ++ >> libsemanage/src/direct_api.c | 310 ++++++++++++++++++++++----------- >> libsemanage/src/libsemanage.map | 1 + >> libsemanage/src/modules.c | 23 ++- >> libsemanage/src/policy.h | 8 + >> libsemanage/src/semanageswig_python.i | 5 + >> policycoreutils/semodule/semodule.8 | 14 ++ >> policycoreutils/semodule/semodule.c | 146 +++++++++++++++- >> 8 files changed, 416 insertions(+), 108 deletions(-) >> >> -- >> 1.9.3 >> >> _______________________________________________ >> Selinux mailing list >> Selinux@tycho.nsa.gov >> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. >> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov. > _______________________________________________ > Selinux mailing list > Selinux@tycho.nsa.gov > To unsubscribe, send email to Selinux-leave@tycho.nsa.gov. > To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov. >