On Fri, Aug 21 2009, Daniel J Walsh wrote:
> Currently when rpm ships, it does an
> semodule -b base.pp -i a.pp b,pp c.pp
> It should be able to do
> semodule -b base.pp -u a.pp b.pp c.pp
>
> But -u blows up if c.pp was not previously installed. It should
> follow the rpm -U syntax; upgrade if the previous package exists and
> install if it does not. If we want to add a -F (freshen) this could
> only upgrade pre-existing modules, and ignore others.
> If I was to change to -u, I would need to add a fourth field to policy
> modules and upgrade it each time I added a patch. It would be a pain,
> but I guess I could deal with it.
> BUT A bigger problem is how to deal with an administrator that wants
> to remove a package and ensure it does not get reinstalled. If an
> administrator decides he does not want to install unconfined.pp, we do
> not want an selinux-policy upgrade to re-install the package.
Could you not look at the .pp files already installed, and only
add to that list policy that corresponds to packages currently bing
installed in this run of rpm? (Debian has a postinstall script that
tries to ma between packages on the system and the corresponding .pp
files to be installed). This leaves the heuristics in the packaging
scripts, and not in semodule.
>
> semodule -r should set a flag when a package gets removed. Then
> semodule -u or semodule -i would not install the package unless the
> administrator specifies a -f.
> semodule -r unconfined
> Would create a file in the policy store
> /etc/selinux/targeted/modules/active/modules/unconfined.exclude.
> semodule -u and semodule -i would respect, and just print out an error
> message.
> semodule -u unconfined.pp
> Warning: unconfined.pp is excluded from the policy store, use -f to
> force the install
Are you talking about explicit administrator action? In that
case it makes sense.
But I would also like to unload policy modules if a package gets
removed: So installing, say, apache should also load the selinux policy
for apache; and removing the apache package should remove that.
But then if I reinstall apache I do not want apache policy from
being blocked.
So how about asking for semodule -F -r foo
(-F meaning to block the foo.pp from the policy store in the future).
This allows the admin to block the policy from the store, but allows
normal package removal/reinstall to work nominally.
> I would like to get consensus on this before I implement. Or others
> can implement.
I would like to see a solution that distinguishes between the
two use cases, and adds the force option on removal before blocking
occurs.
manoj
--
Manoj Srivastava <srivasta@xxxxxxx> <http://www.golden-gryphon.com/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
