In January, we sent an RFC [1] for updating userspace to integrate CIL [2] and source policy. We received a lot of great feedback (thanks to Richard Haines, Dominick Grift, Stephen Smalley, and Dan Walsh) and are back with some changes, and again looking for more comments. This keeps most of the changes as the previous RFC, including moving the policy store to /var/lib/selinux and replacing binary modules with support for CIL. Based on feedback from the previous email we have made changes and added new features to this patchset, specifically: - Support for preserve tunables - Infrastructure to support High Level Languages (HLLs) - A new HLL compiler which converts .pp files to CIL With the new HLL infrastructure and the pp to CIL compiler, we have successfully migrated a Fedora 20 system to the new /var/lib/selinux layout, treating the existing .pp files as high level languages, compiling them to CIL, and generating a binary policy file that is semantically equivalent. This infrastructure allows for one to transition to a full CIL policy, but still allows for backwards compatiability with systems that rely either fully or partially on pp modules. Because of the size of the patchset (66 file changes, ~8000 insertions, ~2000 deletions), all the changes have been pushed to the selinux git repository in three branches for comments/review. Each branch builds on the other, with their purposes described below: src-revert: Reverts changes made to master that conflict with the src-policy branch (e.g. how paths are handled, enabled/disable modules). Rather than dealing with a large amount of conflicts with the source policy work, it was easier to just remove the commits which add conflicting features, rebase the old source policy work on top of that, and add back any features in a manner consistent with source policy. src-policy: This is a rebase of the old src-policy branch onto the src-revert branch, with some minor bug fixes squashed in. The goal of this patchset is to improve the API for module handling, add support for source policies, module priorities, enabling/disabling of modules, and moving the policy store from /etc/selinux/<store>/ to /var/lib/selinux/<store>/. Due to the use of -p/--path and -P/--preserve-tunables, the --priority short option was (pretty arbitrarily) changed to -X. integration: This branch includes most of the more recent work. This builds CIL into libsepol, and updates libsepol, libsemanage, semodule, and semanage to work with and understand CIL files and manage /var/lib/selinux and /etc/selinux. Switching to CIL has a few side effects, such as removing base modules, versions, and upgrades. This also adds a new tool (installed to /usr/libexec/selinux/hll/pp), which is an HLL compiler that converts binary pp modules to CIL. The infrasture to use this compiler (or any other HLL compiler) was added to compile HLL modules to CIL, which is accomplished by writing the HLL data to the stdin of the compiler and reading the equivilent CIL from stdout. The resulting CIL is then cached in the policy store so this compilation does not need to take place during future store updates. Cached CIL modules can be ignored using a new semodule flag (-C/--ignore-cache) or a new configuration option in semanage.conf (ignore-cache). Other configuration options were added to semanage.conf to manage the path to HLL compilers (compiler-directory) and the policy store (store-root). Semodule was also modified to support changing the policy store with the with -S/--store-root option. Lastly, because much of the API is changed, the .so version numbers of libsemanage and libsepol were bumped to version 2. With these three branches, it is possible to build and manage SELinux policy using pp and CIL modules and the familiar semodule/semanage tools. To make this easier to experiment with and test, below are the steps needed to install the updated userspace and migrate a minimal Fedora 20 installation to the new policy store. Thanks, and we look forward to receive your feedback. - Steve [1] http://marc.info/?l=selinux&m=138921403805934&w=2 [2] http://userspace.selinuxproject.org/trac/wiki/CilDesign Steps to Install SELinux Userspace with source policy, CIL, and HLL # Start with a fresh Fedora 20-x86_64 Mimimal Installation # Install SELinux userspace dependencies $ yum install audit-libs-devel bison bzip2-devel dbus-devel dbus-glib-devel flex flex-static gcc git glib2-devel libcap-ng-devel libcgroup-devel libsepol-static pcre-devel python-devel python-IPy setools-devel swig ustr-devel # Disable the IRC module (this is due to an invalid filecon that has since been fixed) semodule --disable irc # Clone the repos and checkout branches $ git clone -b integration http://oss.tresys.com/git/selinux.git $ git clone https://bitbucket.org/jwcarter/secilc.git # Create a symlink to secilc so CIL can be built into libsepol $ ln -s ~/secilc/ selinux/libsepol/cil # Install SElinux userspace with CIL integration and HLL support $ make -C selinux LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap # Migrate to the new source policy infrastructure $ ./selinux/libsemanage/utils/semanage_migrate_etc_to_var.py --norebuild # Install gnome module that removes a duplicate filename transition (see attached) $ semodule --install gnome.cil # List the installed modules, showing priority and HLL $ semodule --list=full
Attachment:
gnome.cil
Description: application/vnd.ms-artgalry
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
