Christopher J. PeBenito 写道: > On 08/16/11 04:08, Harry Ciao wrote: > >> Differnece from v1 >> -------------------- >> 1. Skip role attributes when pp is downgraded, as well as for policy.X. >> >> When pp is downgraded the flavor flag and roles ebitmap would be >> discarded, resulting in role attributes useless at all. So in such >> case role attributes should be skipped for pp too. >> >> >> Tests I've done >> ----------------- >> 1. Apply the role attribute test patch from Chris, adding a new test_r >> role and calls rpm_run() for it. >> >> 2. Use the apol tool to analyze what types the test_r role could type with: >> (Since the apol installed on Ubuntu so far only support max version .24, >> we need to setup "policy-version = 24" in semanage.conf) >> >> Note: >> . There is no role attributes such as portage/semanage/rpm_roles in policy.24 >> . By default pp's version is 13. >> >> test_r (36 types) >> bootloader_t >> chfn_t >> chkpwd_t >> consoletype_t >> ddclient_t >> depmod_t >> dhcpc_t >> groupadd_t >> hostname_t >> ifconfig_t >> insmod_t >> iptables_t >> ldconfig_t >> load_policy_t >> loadkeys_t >> lvm_t >> netutils_t >> newrole_t >> nscd_t >> pam_t >> passwd_t >> ping_t >> pppd_t >> pptp_t >> prelink_t >> rpm_script_t >> rpm_t >> semanage_t >> setfiles_t >> test_t >> traceroute_t >> tzdata_t >> updpwd_t >> useradd_t >> usernetctl_t >> utempter_t >> >> 3. In write_binary_policy() in checkmodule.c, trigger pp downgrade >> by adding "policyvers = MOD_POLICYDB_VERSION_MAX - 1;", then use >> apol to analyze what types the test_r role could type with: >> >> Note: >> . After downgrade, pp's version is 12 now. >> >> test_r (22 types) >> chfn_t >> chkpwd_t >> consoletype_t >> ddclient_t >> dhcpc_t >> hostname_t >> ifconfig_t >> insmod_t >> iptables_t >> loadkeys_t >> netutils_t >> newrole_t >> pam_t >> passwd_t >> ping_t >> pppd_t >> pptp_t >> test_t >> traceroute_t >> updpwd_t >> usernetctl_t >> utempter_t >> >> Where we can see that test_r could no longer type with all those >> types that are typed by rpm_roles and semanage_roles. >> >> (BTW, this means that once role attributes are endorsed in refpolicy, >> the influence of pp downgrade could be far-reaching and perhaps >> undesirable.) >> > > I would not say this is undesirable, but broken instead. The attributes > should be expanded out so the role has the same type set regardless of > the policydb version. > > I agree, originally I would use "broken" too. Since the flavor flag and roles ebitmap won't be written into pp while module downgraded for compatibility issues, the relationships between role attributes and regular roles would be entirely wiped out, no chance could the role attributes ever be expanded during link and expansion. That's why I've decided not to write role attribute at all for downgraded modules. Agree? Thanks, Harry -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
