On Thu, 2010-01-07 at 17:28 -0500, Chad Sellers wrote: > On 12/23/09 6:25 PM, "Caleb Case" <ccase@xxxxxxxxxx> wrote: > > > Our motivations for this patchset are to: > > > > * Move the semanage store - the portion of the SELinux configuration > > managed by libsemanage - to a more appropriate location in the > > filesystem. The current location - in /etc - is designated for > > administrator controlled configuration and is sometimes mounted > > read-only. By storing binary, program managed data in /etc libsemanage > > breaks administrator expectations. > > > > * Enable the overriding of modules in the module store without require > > the original modules to removed or modified. This allows > > administrators to customize the policy more fully while allowing the > > distribution provided policies to be left unmodified and continue to > > be updated by the package manager. > > > > * Provide the ability for an administrator to disable a module without > > removing or overriding that module. > > > > [Move to /var/lib/selinux] > > > > Move the libsemanage private store > > from /etc/selinux/<policy type>/modules > > to /var/lib/selinux/<policy type> > > > > The benefits of this are: > > > > * Permits the use of a read-only /etc. > > > > * Conforms to the Filesystem Hierarchy Standard. > > > > An additional change in layout structure moves the temporary space for > > the active policy to an external temporary space. This has the benefit > > of permitting source control management to be used on the private > > policy. > > > > [Module Priorities] > > > > Module priorities modify libsemanage and the module store to allow > > multiple modules with the same name to exist with different priorities. > > Only the highest priority module is used to create the final system > > policy. The addition of module priorities enables the modification of > > the system policy without modifying individual modules. For example, it > > allows an administrator to add his own policy module for apache, > > completely replacing the distribution provided module, without changing > > or removing the distribution policy. This has several benefits: > > > > * Distribution provided policy package updates proceed normally - the > > distribution policy is inserted but the administrator provided policy > > remains active. > > > > * Multiple levels allows distributors, 3rd party applications, system > > management tools (e.g., puppet), and local administrators to all make > > changes without conflicting. > > > > * Semanage modifications of policy (e.g., port labeling) will be able to > > use high priority modules in the future to override defaults (requires > > the CIL[1] language changes). > > > > [Enable/Disable Modules] > > > > Modules gain an enabled / disabled status. Enabled modules are used by > > semanage when building the active policy, and disabled modules are > > ignored. The main benefit of this is that modules can be disabled > > without out removing them from the store. > > > > [Patchset Breakdown] > > > > The patchset is broken down as follows: > > > > Bug fixes: > > > > libsemanage: fix type in tests makefile -o -> -O > > > > Move the libsemanage store to /var/lib/selinux: > > > > semanage: move permissive module creation to /tmp > > libsemanage: move the module store to /var/lib/selinux > > libsemanage: split final files into /var/lib/selinux/tmp > > libsemanage: update unit tests for move to /var/lib/selinux > > > > Implement support for the new libsemanage store layout: > > > > libsemanage: add default priority to semanage_handle_t > > libsemanage: augment semanage_module_info_t and provide semanage_module_key_t > > libsemanage: get/set module info and enabled status > > libsemanage: provide function to get new base module path > > libsemanage: provide function to get new base module path > > libsemanage: installing/upgrading/removing modules via info and key > > > > Provide private headers for upstream tools to use: > > > > libsemanage: new private api for unstable functions > > > > Extend semodule to support enable/disable, priorities, and detailed listings: > > > > semodule: add priority, enabled, and extended listing > > > > Migration script for moving the libsemanage store: > > > > semanage store migration script > > > > Thanks for you feedback! > > > > Caleb > > > > [1] CIL RFC: http://marc.info/?l=selinux&m=124759244409438&w=2 > > > > Caleb Case (13): > > libsemanage: fix typo in tests makefile -o -> -O > > semanage: move permissive module creation to /tmp > > libsemanage: move the module store to /var/lib/selinux > > libsemanage: split final files into /var/lib/selinux/tmp > > libsemanage: update unit tests for move to /var/lib/selinux > > libsemanage: add default priority to semanage_handle_t > > libsemanage: augment semanage_module_info_t and provide > > semanage_module_key_t > > libsemanage: get/set module info and enabled status > > libsemanage: provide function to get new base module path > > libsemanage: installing/upgrading/removing modules via info and key > > libsemanage: new private api for unstable functions > > semodule: add priority, enabled, and extended listing > > semanage store migration script > > > > libsemanage/include/Makefile | 3 + > > libsemanage/include/semanage/private/handle.h | 31 + > > libsemanage/include/semanage/private/modules.h | 281 ++++ > > libsemanage/include/semanage/private/semanage.h | 26 + > > libsemanage/src/boolean_internal.h | 4 +- > > libsemanage/src/booleans_file.c | 7 +- > > libsemanage/src/booleans_policydb.c | 6 +- > > libsemanage/src/database_file.c | 45 +- > > libsemanage/src/database_file.h | 3 +- > > libsemanage/src/database_policydb.c | 37 +- > > libsemanage/src/database_policydb.h | 3 +- > > libsemanage/src/direct_api.c | 1652 > > +++++++++++++++++++--- > > libsemanage/src/fcontext_internal.h | 3 +- > > libsemanage/src/fcontexts_file.c | 7 +- > > libsemanage/src/genhomedircon.c | 3 +- > > libsemanage/src/handle.c | 23 + > > libsemanage/src/handle.h | 3 + > > libsemanage/src/handle_internal.h | 1 + > > libsemanage/src/iface_internal.h | 4 +- > > libsemanage/src/interfaces_file.c | 7 +- > > libsemanage/src/interfaces_policydb.c | 6 +- > > libsemanage/src/libsemanage.map | 26 + > > libsemanage/src/module_internal.h | 21 + > > libsemanage/src/modules.c | 999 +++++++++++++- > > libsemanage/src/modules.h | 76 +- > > libsemanage/src/node_internal.h | 4 +- > > libsemanage/src/nodes_file.c | 7 +- > > libsemanage/src/nodes_policydb.c | 6 +- > > libsemanage/src/policy.h | 36 + > > libsemanage/src/port_internal.h | 4 +- > > libsemanage/src/ports_file.c | 7 +- > > libsemanage/src/ports_policydb.c | 6 +- > > libsemanage/src/semanage_store.c | 794 ++++++++--- > > libsemanage/src/semanage_store.h | 47 +- > > libsemanage/src/seuser_internal.h | 4 +- > > libsemanage/src/seusers_file.c | 7 +- > > libsemanage/src/user_internal.h | 6 +- > > libsemanage/src/users_base_file.c | 7 +- > > libsemanage/src/users_base_policydb.c | 6 +- > > libsemanage/src/users_extra_file.c | 7 +- > > libsemanage/tests/Makefile | 2 +- > > libsemanage/tests/test_semanage_store.c | 34 +- > > libsemanage/utils/semanage_migrate_etc_to_var.py | 301 ++++ > > policycoreutils/semanage/seobject.py | 15 +- > > policycoreutils/semodule/semodule.8 | 25 +- > > policycoreutils/semodule/semodule.c | 242 +++- > > 46 files changed, 4267 insertions(+), 577 deletions(-) > > create mode 100644 libsemanage/include/semanage/private/handle.h > > create mode 100644 libsemanage/include/semanage/private/modules.h > > create mode 100644 libsemanage/include/semanage/private/semanage.h > > create mode 100755 libsemanage/utils/semanage_migrate_etc_to_var.py > > > Well, there have been no comments on this patchset. I'm guessing that's > because: > > 1) We've talked to some of you face to face about it already. > 2) It's a big patchset, and you'd want to try it out a bit before > commenting. > I've been trying it out for the last few days. I haven't had any problems yet. > To address #2, I'd like to propose creating an upstream branch for these > changes. This patchset is actually just the first patchset in a larger > effort to improve policy infrastructure. I think an upstream branch will > make it easier for many people to track those changes and try out the new > features we're creating. Eventually that branch can be merged back into > master. > > Thoughts? I think that creating an upstream branch would be a good idea. > > Thanks, > Chad Sellers > > Oh, and in case it wasn't implied: > Acked-by: Chad Sellers <csellers@xxxxxxxxxx> > > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with > the words "unsubscribe selinux" without quotes as the message. -- James Carter <jwcart2@xxxxxxxxxxxxx> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
