ANN: Reference Policy Release

ANN: Reference Policy Release

[Christopher J. PeBenito]

A new release of the SELinux Reference Policy is now available on
SourceForge from http://serefpolicy.sourceforge.net.  The primary
activity for this release has been preparing and testing Reference
Policy for inclusion in Fedora Core 5 as it's targeted policy.  In
addition, several build issues have been fixed.  The change log follows
at the bottom of the email.

Again, for those that are interesting in contributing, right now the
best help would be to convert existing policies over to reference
policy; there is a list of modules on the reference policy status page
on SourceForge.

* Wed Dec 07 2005 Chris PeBenito <selinux@tresys.com> - 20051207
- Add unlabeled IPSEC association rule to domains with
  networking permissions.
- Merge systemuser back in to users, as these files
  do not need to be split.
- Add check for duplicate interface/template definitions.
- Move domain, files, and corecommands modules to kernel
  layer to resolve some layering inconsistencies.
- Move policy build options out of Makefile into build.conf.
- Add yppasswd to nis module.
- Change optional_policy() to refer to the module name
  rather than modulename.te.
- Fix labeling targets to use installed file_contexts rather
  than partial file_contexts in the policy source directory.
- Fix build process to use make's internal vpath functions
  to detect modules rather than using subshells and find.
- Add install target for modular policy.
- Add load target for modular policy.
- Add appconfig dependency to the load target.
- Miscellaneous fixes from Dan Walsh.
- Fix corenetwork gen_context()'s to expand during the policy
  build phase instead of during the generation phase.  
- Added policies:
	amanda
	avahi
	canna
	cyrus
	dbskk
	dovecot
	distcc
	i18n_input
	irqbalance
	lpd
	networkmanager
	pegasus
	postfix
	procmail
	radius
	rdisc
	rpc
	spamassassin
	timidity
	xdm
	xfs


-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: ANN: Reference Policy Release

[Serge E. Hallyn]

Hmm, I'm trying to compile this as a modular policy.  I've selected
"nis = off" in my modules.conf.  But I get

	policy/modules/admin/netutils.te:88:ERROR 'syntax error' at token
	'nis_use_ypbind' on line 33005:
	#line 88
		nis_use_ypbind(netutils_t)

when I try 'make load'.

Is this me misunderstanding how I can use modules.conf, or is
the module policy mostly unsupported?  (I'm happy to help get it
working, just am not sure how it's supposed to work now :)  My first
instinct of course is that the "optional_policy" macro in
policy/support/loadable_module.spt would need to be more complicated
to handle using modules.conf...  But man that's one ugly macro.

thanks,
-serge

Quoting Christopher J. PeBenito (cpebenito@tresys.com):
> A new release of the SELinux Reference Policy is now available on
> SourceForge from http://serefpolicy.sourceforge.net.  The primary
> activity for this release has been preparing and testing Reference
> Policy for inclusion in Fedora Core 5 as it's targeted policy.  In
> addition, several build issues have been fixed.  The change log follows
> at the bottom of the email.
> 
> Again, for those that are interesting in contributing, right now the
> best help would be to convert existing policies over to reference
> policy; there is a list of modules on the reference policy status page
> on SourceForge.
> 
> * Wed Dec 07 2005 Chris PeBenito <selinux@tresys.com> - 20051207
> - Add unlabeled IPSEC association rule to domains with
>   networking permissions.
> - Merge systemuser back in to users, as these files
>   do not need to be split.
> - Add check for duplicate interface/template definitions.
> - Move domain, files, and corecommands modules to kernel
>   layer to resolve some layering inconsistencies.
> - Move policy build options out of Makefile into build.conf.
> - Add yppasswd to nis module.
> - Change optional_policy() to refer to the module name
>   rather than modulename.te.
> - Fix labeling targets to use installed file_contexts rather
>   than partial file_contexts in the policy source directory.
> - Fix build process to use make's internal vpath functions
>   to detect modules rather than using subshells and find.
> - Add install target for modular policy.
> - Add load target for modular policy.
> - Add appconfig dependency to the load target.
> - Miscellaneous fixes from Dan Walsh.
> - Fix corenetwork gen_context()'s to expand during the policy
>   build phase instead of during the generation phase.  
> - Added policies:
> 	amanda
> 	avahi
> 	canna
> 	cyrus
> 	dbskk
> 	dovecot
> 	distcc
> 	i18n_input
> 	irqbalance
> 	lpd
> 	networkmanager
> 	pegasus
> 	postfix
> 	procmail
> 	radius
> 	rdisc
> 	rpc
> 	spamassassin
> 	timidity
> 	xdm
> 	xfs
> 
> 
> -- 
> Chris PeBenito
> Tresys Technology, LLC
> (410) 290-1411 x150
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
> 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: ANN: Reference Policy Release

[Daniel J Walsh]

Serge E. Hallyn wrote:
> Hmm, I'm trying to compile this as a modular policy.  I've selected
> "nis = off" in my modules.conf.  But I get
>
> 	policy/modules/admin/netutils.te:88:ERROR 'syntax error' at token
> 	'nis_use_ypbind' on line 33005:
> 	#line 88
> 		nis_use_ypbind(netutils_t)
>
> when I try 'make load'.
>
> Is this me misunderstanding how I can use modules.conf, or is
> the module policy mostly unsupported?  (I'm happy to help get it
> working, just am not sure how it's supposed to work now :)  My first
> instinct of course is that the "optional_policy" macro in
> policy/support/loadable_module.spt would need to be more complicated
> to handle using modules.conf...  But man that's one ugly macro.
>   
Looks like this should be optional.
> thanks,
> -serge
>
> Quoting Christopher J. PeBenito (cpebenito@tresys.com):
>   
>> A new release of the SELinux Reference Policy is now available on
>> SourceForge from http://serefpolicy.sourceforge.net.  The primary
>> activity for this release has been preparing and testing Reference
>> Policy for inclusion in Fedora Core 5 as it's targeted policy.  In
>> addition, several build issues have been fixed.  The change log follows
>> at the bottom of the email.
>>
>> Again, for those that are interesting in contributing, right now the
>> best help would be to convert existing policies over to reference
>> policy; there is a list of modules on the reference policy status page
>> on SourceForge.
>>
>> * Wed Dec 07 2005 Chris PeBenito <selinux@tresys.com> - 20051207
>> - Add unlabeled IPSEC association rule to domains with
>>   networking permissions.
>> - Merge systemuser back in to users, as these files
>>   do not need to be split.
>> - Add check for duplicate interface/template definitions.
>> - Move domain, files, and corecommands modules to kernel
>>   layer to resolve some layering inconsistencies.
>> - Move policy build options out of Makefile into build.conf.
>> - Add yppasswd to nis module.
>> - Change optional_policy() to refer to the module name
>>   rather than modulename.te.
>> - Fix labeling targets to use installed file_contexts rather
>>   than partial file_contexts in the policy source directory.
>> - Fix build process to use make's internal vpath functions
>>   to detect modules rather than using subshells and find.
>> - Add install target for modular policy.
>> - Add load target for modular policy.
>> - Add appconfig dependency to the load target.
>> - Miscellaneous fixes from Dan Walsh.
>> - Fix corenetwork gen_context()'s to expand during the policy
>>   build phase instead of during the generation phase.  
>> - Added policies:
>> 	amanda
>> 	avahi
>> 	canna
>> 	cyrus
>> 	dbskk
>> 	dovecot
>> 	distcc
>> 	i18n_input
>> 	irqbalance
>> 	lpd
>> 	networkmanager
>> 	pegasus
>> 	postfix
>> 	procmail
>> 	radius
>> 	rdisc
>> 	rpc
>> 	spamassassin
>> 	timidity
>> 	xdm
>> 	xfs
>>
>>
>> -- 
>> Chris PeBenito
>> Tresys Technology, LLC
>> (410) 290-1411 x150
>>
>>
>> --
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>> the words "unsubscribe selinux" without quotes as the message.
>>
>>     
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>   


-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: ANN: Reference Policy Release

[Serge E. Hallyn]

Quoting Serge E. Hallyn (serue@us.ibm.com):
> Hmm, I'm trying to compile this as a modular policy.  I've selected
> "nis = off" in my modules.conf.  But I get
> 
> 	policy/modules/admin/netutils.te:88:ERROR 'syntax error' at token
> 	'nis_use_ypbind' on line 33005:
> 	#line 88
> 		nis_use_ypbind(netutils_t)
> 
> when I try 'make load'.

Also, I needed the following patch to get cvs refpolicy to compile as a
static policy without unconfined.  Of course the offending statement was
"cjp: temporary hack"  :)

thanks,
-serge

Index: refpolicy/policy/modules/system/selinuxutil.te
===================================================================
--- refpolicy.orig/policy/modules/system/selinuxutil.te	2005-12-17 22:24:11.000000000 -0600
+++ refpolicy/policy/modules/system/selinuxutil.te	2005-12-18 17:13:38.000000000 -0600
@@ -198,7 +198,9 @@ ifdef(`targeted_policy', `
 # cjp: temporary hack to cover
 # up stray file descriptors.
 dontaudit load_policy_t selinux_config_t:file write;
-unconfined_dontaudit_read_pipe(load_policy_t)
+optional_policy(`unconfined',`
+	unconfined_dontaudit_read_pipe(load_policy_t)
+')
 
 ########################################
 #

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[PATCH] Re: ANN: Reference Policy Release

[Serge E. Hallyn]

Quoting Daniel J Walsh (dwalsh@redhat.com):
> Serge E. Hallyn wrote:
> >Hmm, I'm trying to compile this as a modular policy.  I've selected
> >"nis = off" in my modules.conf.  But I get
> >
> >	policy/modules/admin/netutils.te:88:ERROR 'syntax error' at token
> >	'nis_use_ypbind' on line 33005:
> >	#line 88
> >		nis_use_ypbind(netutils_t)
> >
> >when I try 'make load'.
> >
> >Is this me misunderstanding how I can use modules.conf, or is
> >the module policy mostly unsupported?  (I'm happy to help get it
> >working, just am not sure how it's supposed to work now :)  My first
> >instinct of course is that the "optional_policy" macro in
> >policy/support/loadable_module.spt would need to be more complicated
> >to handle using modules.conf...  But man that's one ugly macro.
> >  
> Looks like this should be optional.

Right :)  I just had no idea how it was meant to be implemented.

The following patch is one way of implementing the optional_policy
macro for policy modules.  Likely not the best, but I can now
do a full 'make modules'.

thanks,
-serge

Index: refpolicy/Rules.modular
===================================================================
--- refpolicy.orig/Rules.modular	2005-12-21 17:15:50.000000000 -0600
+++ refpolicy/Rules.modular	2005-12-21 18:48:49.000000000 -0600
@@ -37,7 +37,12 @@ all: base modules
 
 base: $(BASE_PKG)
 
-modules: $(MOD_PKGS)
+active_modules: $(MOD_CONF)
+	echo $(MOD_MODS) | sed -e 's/ /\n/g' \
+		| sed -e 's/^\(.*\)$$/define(`\1\x27,1)/' \
+		> active_modules
+
+modules: active_modules $(MOD_PKGS)
 
 install: $(INSTPKG) $(APPFILES)
 
@@ -62,7 +67,7 @@ $(MODPKGDIR)/%.pp: %.pp
 #
 # Build module packages
 #
-tmp/%.mod: $(M4SUPPORT) tmp/generated_definitions.conf tmp/all_interfaces.conf %.te
+tmp/%.mod: active_modules $(M4SUPPORT) tmp/generated_definitions.conf tmp/all_interfaces.conf %.te
 	@echo "Compliling $(NAME) $(@F) module"
 	$(QUIET) m4 $(M4PARAM) -s $^ > $(@:.mod=.tmp)
 	$(QUIET) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
@@ -186,5 +191,6 @@ clean:
 	rm -f *.pp
 	rm -f $(BASE_FC)
 	rm -fR tmp
+	rm -f active_modules
 
 .PHONY: default all base modules install load clean
Index: refpolicy/policy/support/loadable_module.spt
===================================================================
--- refpolicy.orig/policy/support/loadable_module.spt	2005-12-21 17:15:59.000000000 -0600
+++ refpolicy/policy/support/loadable_module.spt	2005-12-21 18:45:56.000000000 -0600
@@ -86,17 +86,7 @@ define(`policy_call_depth',0)
 # Optional policy handling
 #
 define(`optional_policy',`
-	ifdef(`self_contained_policy',`
-		ifdef(`$1.te',`$2',`$3')
-	',`
-		optional {
-			$2
-		ifelse(`$3',`',`',`
-		} else {
-			$3
-		')
-		}
-	')
+	ifdef(`$1.te',`$2',`$3')
 ')
 
 ##############################

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: ANN: Reference Policy Release

[Christopher J. PeBenito]

On Thu, 2005-12-15 at 16:28 -0600, Serge E. Hallyn wrote:
> Hmm, I'm trying to compile this as a modular policy.  I've selected
> "nis = off" in my modules.conf.  But I get
> 
> 	policy/modules/admin/netutils.te:88:ERROR 'syntax error' at token
> 	'nis_use_ypbind' on line 33005:
> 	#line 88
> 		nis_use_ypbind(netutils_t)
> 
> when I try 'make load'.

Looks like the interfaces for disabled modules are not being expanded
properly.  After a quick glance, the disabled modules are not being
included in the ALL_MODULES variable in the Rules.modular, so fixing it
should be fairly straightforward.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.