Re: libsemage patch to not compile modules for seusers and fcontext

Ivan Gyurdiev <ivg231@xxxxxxxxx> · Thu, 04 Sep 2008 22:52:32 -0400

Daniel J Walsh wrote:
Testing results. On my rawhide system.

NOTE: Rebuild policy old fashioned way
# rpm -Uhv --force
/home/dwalsh/sources/RPMS/noarch/selinux-policy*3.5.6-2.fc10.noarch.rpm
Preparing...                ###########################################
[100%]
   1:selinux-policy         ###########################################
[ 50%]
   2:selinux-policy-targeted###########################################
[100%]

# grep root /etc/selinux/targeted/seusers
/etc/selinux/targeted/modules/active/seusers
/etc/selinux/targeted/modules/active/seusers.final
/etc/selinux/targeted/seusers:root:unconfined_u:s0-s0:c0.c1023
/etc/selinux/targeted/modules/active/seusers:root:unconfined_u:s0-s0:c0.c1023
/etc/selinux/targeted/modules/active/seusers.final:root:unconfined_u:s0-s0:c0.c1023

Note all three seusers files reference root.

# semanage login -d root
NOTE: Command did not fail.  This command is actually deleting the
customization of root to use unconfined_u.

# grep root /etc/selinux/targeted/seusers \
/etc/selinux/targeted/modules/active/seusers \
/etc/selinux/targeted/modules/active/seusers.final
/etc/selinux/targeted/seusers:root:root:s0-s0:c0.c1023
/etc/selinux/targeted/modules/active/seusers.final:root:root:s0-s0:c0.c1023

NOTE root entry is still in
/etc/selinux/targeted/modules/active/seusers.final and
/etc/selinux/targeted/seusers
But it is using SELinux User "root" now which is the default in the base
package.

This is very strange, since it is really not supposed to do that - how 
does it get the "root:root:s0-s0:c0.c1023" out of the base package 
without going through here ?
Is it still going through the old code path somehow ?

               if (sepol_module_package_get_seusers_len(base)) {
                       ofilename = semanage_path(SEMANAGE_TMP, 
SEMANAGE_SEUSERS);

There are other things to worry about, such as whether prefix 
information (users_extra file) is correctly merged from the base package.

Ivan

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.