* ANN: Reference Policy Release
@ 2005-12-07 16:40 Christopher J. PeBenito
2005-12-15 22:28 ` Serge E. Hallyn
0 siblings, 1 reply; 6+ messages in thread
From: Christopher J. PeBenito @ 2005-12-07 16:40 UTC (permalink / raw)
To: SELinux Mail List
A new release of the SELinux Reference Policy is now available on
SourceForge from http://serefpolicy.sourceforge.net. The primary
activity for this release has been preparing and testing Reference
Policy for inclusion in Fedora Core 5 as it's targeted policy. In
addition, several build issues have been fixed. The change log follows
at the bottom of the email.
Again, for those that are interesting in contributing, right now the
best help would be to convert existing policies over to reference
policy; there is a list of modules on the reference policy status page
on SourceForge.
* Wed Dec 07 2005 Chris PeBenito <selinux@tresys.com> - 20051207
- Add unlabeled IPSEC association rule to domains with
networking permissions.
- Merge systemuser back in to users, as these files
do not need to be split.
- Add check for duplicate interface/template definitions.
- Move domain, files, and corecommands modules to kernel
layer to resolve some layering inconsistencies.
- Move policy build options out of Makefile into build.conf.
- Add yppasswd to nis module.
- Change optional_policy() to refer to the module name
rather than modulename.te.
- Fix labeling targets to use installed file_contexts rather
than partial file_contexts in the policy source directory.
- Fix build process to use make's internal vpath functions
to detect modules rather than using subshells and find.
- Add install target for modular policy.
- Add load target for modular policy.
- Add appconfig dependency to the load target.
- Miscellaneous fixes from Dan Walsh.
- Fix corenetwork gen_context()'s to expand during the policy
build phase instead of during the generation phase.
- Added policies:
amanda
avahi
canna
cyrus
dbskk
dovecot
distcc
i18n_input
irqbalance
lpd
networkmanager
pegasus
postfix
procmail
radius
rdisc
rpc
spamassassin
timidity
xdm
xfs
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: ANN: Reference Policy Release
2005-12-07 16:40 ANN: Reference Policy Release Christopher J. PeBenito
@ 2005-12-15 22:28 ` Serge E. Hallyn
2005-12-16 17:59 ` Daniel J Walsh
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Serge E. Hallyn @ 2005-12-15 22:28 UTC (permalink / raw)
To: Christopher J. PeBenito; +Cc: SELinux Mail List
Hmm, I'm trying to compile this as a modular policy. I've selected
"nis = off" in my modules.conf. But I get
policy/modules/admin/netutils.te:88:ERROR 'syntax error' at token
'nis_use_ypbind' on line 33005:
#line 88
nis_use_ypbind(netutils_t)
when I try 'make load'.
Is this me misunderstanding how I can use modules.conf, or is
the module policy mostly unsupported? (I'm happy to help get it
working, just am not sure how it's supposed to work now :) My first
instinct of course is that the "optional_policy" macro in
policy/support/loadable_module.spt would need to be more complicated
to handle using modules.conf... But man that's one ugly macro.
thanks,
-serge
Quoting Christopher J. PeBenito (cpebenito@tresys.com):
> A new release of the SELinux Reference Policy is now available on
> SourceForge from http://serefpolicy.sourceforge.net. The primary
> activity for this release has been preparing and testing Reference
> Policy for inclusion in Fedora Core 5 as it's targeted policy. In
> addition, several build issues have been fixed. The change log follows
> at the bottom of the email.
>
> Again, for those that are interesting in contributing, right now the
> best help would be to convert existing policies over to reference
> policy; there is a list of modules on the reference policy status page
> on SourceForge.
>
> * Wed Dec 07 2005 Chris PeBenito <selinux@tresys.com> - 20051207
> - Add unlabeled IPSEC association rule to domains with
> networking permissions.
> - Merge systemuser back in to users, as these files
> do not need to be split.
> - Add check for duplicate interface/template definitions.
> - Move domain, files, and corecommands modules to kernel
> layer to resolve some layering inconsistencies.
> - Move policy build options out of Makefile into build.conf.
> - Add yppasswd to nis module.
> - Change optional_policy() to refer to the module name
> rather than modulename.te.
> - Fix labeling targets to use installed file_contexts rather
> than partial file_contexts in the policy source directory.
> - Fix build process to use make's internal vpath functions
> to detect modules rather than using subshells and find.
> - Add install target for modular policy.
> - Add load target for modular policy.
> - Add appconfig dependency to the load target.
> - Miscellaneous fixes from Dan Walsh.
> - Fix corenetwork gen_context()'s to expand during the policy
> build phase instead of during the generation phase.
> - Added policies:
> amanda
> avahi
> canna
> cyrus
> dbskk
> dovecot
> distcc
> i18n_input
> irqbalance
> lpd
> networkmanager
> pegasus
> postfix
> procmail
> radius
> rdisc
> rpc
> spamassassin
> timidity
> xdm
> xfs
>
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> (410) 290-1411 x150
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: ANN: Reference Policy Release
2005-12-15 22:28 ` Serge E. Hallyn
@ 2005-12-16 17:59 ` Daniel J Walsh
2005-12-22 1:25 ` [PATCH] " Serge E. Hallyn
2005-12-18 23:20 ` Serge E. Hallyn
2006-01-03 15:48 ` Christopher J. PeBenito
2 siblings, 1 reply; 6+ messages in thread
From: Daniel J Walsh @ 2005-12-16 17:59 UTC (permalink / raw)
To: Serge E. Hallyn; +Cc: Christopher J. PeBenito, SELinux Mail List
Serge E. Hallyn wrote:
> Hmm, I'm trying to compile this as a modular policy. I've selected
> "nis = off" in my modules.conf. But I get
>
> policy/modules/admin/netutils.te:88:ERROR 'syntax error' at token
> 'nis_use_ypbind' on line 33005:
> #line 88
> nis_use_ypbind(netutils_t)
>
> when I try 'make load'.
>
> Is this me misunderstanding how I can use modules.conf, or is
> the module policy mostly unsupported? (I'm happy to help get it
> working, just am not sure how it's supposed to work now :) My first
> instinct of course is that the "optional_policy" macro in
> policy/support/loadable_module.spt would need to be more complicated
> to handle using modules.conf... But man that's one ugly macro.
>
Looks like this should be optional.
> thanks,
> -serge
>
> Quoting Christopher J. PeBenito (cpebenito@tresys.com):
>
>> A new release of the SELinux Reference Policy is now available on
>> SourceForge from http://serefpolicy.sourceforge.net. The primary
>> activity for this release has been preparing and testing Reference
>> Policy for inclusion in Fedora Core 5 as it's targeted policy. In
>> addition, several build issues have been fixed. The change log follows
>> at the bottom of the email.
>>
>> Again, for those that are interesting in contributing, right now the
>> best help would be to convert existing policies over to reference
>> policy; there is a list of modules on the reference policy status page
>> on SourceForge.
>>
>> * Wed Dec 07 2005 Chris PeBenito <selinux@tresys.com> - 20051207
>> - Add unlabeled IPSEC association rule to domains with
>> networking permissions.
>> - Merge systemuser back in to users, as these files
>> do not need to be split.
>> - Add check for duplicate interface/template definitions.
>> - Move domain, files, and corecommands modules to kernel
>> layer to resolve some layering inconsistencies.
>> - Move policy build options out of Makefile into build.conf.
>> - Add yppasswd to nis module.
>> - Change optional_policy() to refer to the module name
>> rather than modulename.te.
>> - Fix labeling targets to use installed file_contexts rather
>> than partial file_contexts in the policy source directory.
>> - Fix build process to use make's internal vpath functions
>> to detect modules rather than using subshells and find.
>> - Add install target for modular policy.
>> - Add load target for modular policy.
>> - Add appconfig dependency to the load target.
>> - Miscellaneous fixes from Dan Walsh.
>> - Fix corenetwork gen_context()'s to expand during the policy
>> build phase instead of during the generation phase.
>> - Added policies:
>> amanda
>> avahi
>> canna
>> cyrus
>> dbskk
>> dovecot
>> distcc
>> i18n_input
>> irqbalance
>> lpd
>> networkmanager
>> pegasus
>> postfix
>> procmail
>> radius
>> rdisc
>> rpc
>> spamassassin
>> timidity
>> xdm
>> xfs
>>
>>
>> --
>> Chris PeBenito
>> Tresys Technology, LLC
>> (410) 290-1411 x150
>>
>>
>> --
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>> the words "unsubscribe selinux" without quotes as the message.
>>
>>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>
--
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: ANN: Reference Policy Release
2005-12-15 22:28 ` Serge E. Hallyn
2005-12-16 17:59 ` Daniel J Walsh
@ 2005-12-18 23:20 ` Serge E. Hallyn
2006-01-03 15:48 ` Christopher J. PeBenito
2 siblings, 0 replies; 6+ messages in thread
From: Serge E. Hallyn @ 2005-12-18 23:20 UTC (permalink / raw)
To: Christopher J. PeBenito; +Cc: SELinux Mail List
Quoting Serge E. Hallyn (serue@us.ibm.com):
> Hmm, I'm trying to compile this as a modular policy. I've selected
> "nis = off" in my modules.conf. But I get
>
> policy/modules/admin/netutils.te:88:ERROR 'syntax error' at token
> 'nis_use_ypbind' on line 33005:
> #line 88
> nis_use_ypbind(netutils_t)
>
> when I try 'make load'.
Also, I needed the following patch to get cvs refpolicy to compile as a
static policy without unconfined. Of course the offending statement was
"cjp: temporary hack" :)
thanks,
-serge
Index: refpolicy/policy/modules/system/selinuxutil.te
===================================================================
--- refpolicy.orig/policy/modules/system/selinuxutil.te 2005-12-17 22:24:11.000000000 -0600
+++ refpolicy/policy/modules/system/selinuxutil.te 2005-12-18 17:13:38.000000000 -0600
@@ -198,7 +198,9 @@ ifdef(`targeted_policy', `
# cjp: temporary hack to cover
# up stray file descriptors.
dontaudit load_policy_t selinux_config_t:file write;
-unconfined_dontaudit_read_pipe(load_policy_t)
+optional_policy(`unconfined',`
+ unconfined_dontaudit_read_pipe(load_policy_t)
+')
########################################
#
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH] Re: ANN: Reference Policy Release
2005-12-16 17:59 ` Daniel J Walsh
@ 2005-12-22 1:25 ` Serge E. Hallyn
0 siblings, 0 replies; 6+ messages in thread
From: Serge E. Hallyn @ 2005-12-22 1:25 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: Christopher J. PeBenito, SELinux Mail List
Quoting Daniel J Walsh (dwalsh@redhat.com):
> Serge E. Hallyn wrote:
> >Hmm, I'm trying to compile this as a modular policy. I've selected
> >"nis = off" in my modules.conf. But I get
> >
> > policy/modules/admin/netutils.te:88:ERROR 'syntax error' at token
> > 'nis_use_ypbind' on line 33005:
> > #line 88
> > nis_use_ypbind(netutils_t)
> >
> >when I try 'make load'.
> >
> >Is this me misunderstanding how I can use modules.conf, or is
> >the module policy mostly unsupported? (I'm happy to help get it
> >working, just am not sure how it's supposed to work now :) My first
> >instinct of course is that the "optional_policy" macro in
> >policy/support/loadable_module.spt would need to be more complicated
> >to handle using modules.conf... But man that's one ugly macro.
> >
> Looks like this should be optional.
Right :) I just had no idea how it was meant to be implemented.
The following patch is one way of implementing the optional_policy
macro for policy modules. Likely not the best, but I can now
do a full 'make modules'.
thanks,
-serge
Index: refpolicy/Rules.modular
===================================================================
--- refpolicy.orig/Rules.modular 2005-12-21 17:15:50.000000000 -0600
+++ refpolicy/Rules.modular 2005-12-21 18:48:49.000000000 -0600
@@ -37,7 +37,12 @@ all: base modules
base: $(BASE_PKG)
-modules: $(MOD_PKGS)
+active_modules: $(MOD_CONF)
+ echo $(MOD_MODS) | sed -e 's/ /\n/g' \
+ | sed -e 's/^\(.*\)$$/define(`\1\x27,1)/' \
+ > active_modules
+
+modules: active_modules $(MOD_PKGS)
install: $(INSTPKG) $(APPFILES)
@@ -62,7 +67,7 @@ $(MODPKGDIR)/%.pp: %.pp
#
# Build module packages
#
-tmp/%.mod: $(M4SUPPORT) tmp/generated_definitions.conf tmp/all_interfaces.conf %.te
+tmp/%.mod: active_modules $(M4SUPPORT) tmp/generated_definitions.conf tmp/all_interfaces.conf %.te
@echo "Compliling $(NAME) $(@F) module"
$(QUIET) m4 $(M4PARAM) -s $^ > $(@:.mod=.tmp)
$(QUIET) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
@@ -186,5 +191,6 @@ clean:
rm -f *.pp
rm -f $(BASE_FC)
rm -fR tmp
+ rm -f active_modules
.PHONY: default all base modules install load clean
Index: refpolicy/policy/support/loadable_module.spt
===================================================================
--- refpolicy.orig/policy/support/loadable_module.spt 2005-12-21 17:15:59.000000000 -0600
+++ refpolicy/policy/support/loadable_module.spt 2005-12-21 18:45:56.000000000 -0600
@@ -86,17 +86,7 @@ define(`policy_call_depth',0)
# Optional policy handling
#
define(`optional_policy',`
- ifdef(`self_contained_policy',`
- ifdef(`$1.te',`$2',`$3')
- ',`
- optional {
- $2
- ifelse(`$3',`',`',`
- } else {
- $3
- ')
- }
- ')
+ ifdef(`$1.te',`$2',`$3')
')
##############################
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: ANN: Reference Policy Release
2005-12-15 22:28 ` Serge E. Hallyn
2005-12-16 17:59 ` Daniel J Walsh
2005-12-18 23:20 ` Serge E. Hallyn
@ 2006-01-03 15:48 ` Christopher J. PeBenito
2 siblings, 0 replies; 6+ messages in thread
From: Christopher J. PeBenito @ 2006-01-03 15:48 UTC (permalink / raw)
To: Serge E. Hallyn; +Cc: SELinux Mail List
On Thu, 2005-12-15 at 16:28 -0600, Serge E. Hallyn wrote:
> Hmm, I'm trying to compile this as a modular policy. I've selected
> "nis = off" in my modules.conf. But I get
>
> policy/modules/admin/netutils.te:88:ERROR 'syntax error' at token
> 'nis_use_ypbind' on line 33005:
> #line 88
> nis_use_ypbind(netutils_t)
>
> when I try 'make load'.
Looks like the interfaces for disabled modules are not being expanded
properly. After a quick glance, the disabled modules are not being
included in the ALL_MODULES variable in the Rules.modular, so fixing it
should be fairly straightforward.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2006-01-03 15:45 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2005-12-07 16:40 ANN: Reference Policy Release Christopher J. PeBenito
2005-12-15 22:28 ` Serge E. Hallyn
2005-12-16 17:59 ` Daniel J Walsh
2005-12-22 1:25 ` [PATCH] " Serge E. Hallyn
2005-12-18 23:20 ` Serge E. Hallyn
2006-01-03 15:48 ` Christopher J. PeBenito
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).