> From: Paul Howarth [mailto:paul@xxxxxxxxxxxx] > > On Tue, 2006-06-20 at 16:12 -0400, Christopher J. PeBenito wrote: > > On Fri, 2006-05-19 at 08:03 -0400, Stephen Smalley wrote: > > > On Thu, 2006-05-18 at 13:39 +0100, Paul Howarth wrote: > > > > Paul Howarth wrote: > > > > > Stephen Smalley wrote: > > > > >> On Tue, 2006-05-16 at 17:33 +0100, Paul Howarth wrote: > > > > >>> It contains a policy module, but the module only > includes file contexts. > > > > >> > > > > >> If this is going to be common, then semodule_package and > > > > >> libsemanage need to allow for policy packages that > have no policy module. > > [cut] > > > - Cleanly supporting policy packages that do not include a binary > > > policy module in the tools (e.g. semodule_package) and > libraries (e.g. > > > libsemanage, libsepol), so that they can be used to ship > just file > > > contexts or other components. I don't know of any work > in progress > > > yet on that issue, so it may make sense to bugzilla it, > although it > > > is really an upstream issue, and there isn't presently an > upstream > > > bugzilla for selinux (just the mailing list). > > > > I was looking at what it would take to support a package without a > > module. Without the binary policy, there is one problem of > where the > > module name and version will come from. We could either > add this to > > the package itself (which would require a policy package format > > change), or add a section to the package for module name > and version > > (which seems like a hack to me). > > What I'm suggesting isn't a policy package with just file > contexts, it's one with no allow/dontaudit rules in the > policy, like this: > > :::::::::::::: > contagged.if > :::::::::::::: > # contagged.if > # > # This module has no interfaces > :::::::::::::: > contagged.fc > :::::::::::::: > /var/cache/contagged(/.*)? > gen_context(system_u:object_r:httpd_cache_t,s0) > :::::::::::::: > contagged.te > :::::::::::::: > # It's currently only necessary to set file contexts for the > cache directory # in this policy, but doing it in a module is > easier from a package maintenance # point of view than using > semanage and chcon in scriptlets > > policy_module(contagged, 0.3) > > ######################################## > # > # Declarations > # > > require { > type httpd_cache_t; > }; > > > ######################################## > # > # Local policy > # > > # (none needed) > > > More importantly, I believe a package without a module does > not make > > sense because the types and users used in the file contexts should > > either be declared or required by the module in the package. > > Otherwise the transaction fails late when the file contexts are > > validated, rather than early during linking. > > I agree. It would make sense for compilation/linking of the > module above to fail if the "require" wasn't present. > Currently that doesn't happen. > > Paul. > Try putting a line with just ; where the rules would go and see if that compiles. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
