On 07/09/2014 03:21 PM, Steve Lawrence wrote: > In January, we sent an RFC [1] to update userspace to integrate CIL > [2] and source policy. And in April, we sent an updated RFC [3] which > added support for high level languages and a tool to convert policy > package (pp) files to CIL. After getting some good feedback, we have > made some more changes, mostly to maintain ABI compatibility. The > major changes made since the last patchset are: > > - Change how semanage_set_root was re-added to use the source policy > infrastructure. Fixes were made so that semanage.conf was looked for > inside the root. Also adds an semanage_root() function to get the > current root. > - In previous patchsets, the semanage_module_upgrade* and > semanage_module_install_base* functions were removed from the API, > and semanage_module_install* had modified parameters. However, these > changes broke the API and ABI. To maintain ABI compatibility, we've > now added symbolic versioning to support the old version of the > functions, which now just call the new install functions. semodule > is updated to support --base and --upgrade, but with the addition of > a deprecation message. API compatability is not maintained. > - Likewise, symbolic versioning was added to support the old module > enable/disable functions, which call the new enable/disable > functions. > - Modify the libsepol Makefile to now make including CIL optional via > the DISABLE_CIL build flag. This only affects libsepol (not > libsemanage), primarily so that SE for Android does not need to > include unused CIL cruft. > > With these changes, ABI compatibility is maintained. Additionally, we > have tested these changes with the userspace tests and against the > kernel test suite, and no new failures were discovered. We have > also tested this patchset with both Fedora 20 policy and with reference > policy and found no errors. > > Because of the size of the patchset (67 file changes, ~8300 > insertions, ~1800 deletions), all the changes have been pushed to the > selinux git repository to the 'integration' branch for > comments/review. Unlike the previous RFCs, for simplicity there is now > only a single branch, containing three types of changes: > > Reverts > Reverts changes made to master that conflict with the new source > policy infrastructure (e.g. how paths are handled, > enabled/disable modules). Rather than dealing with a large amount > of conflicts with the source policy work, it was easier to just > remove the commits that added conflicting features, rebase the old > source policy work on top of that, and add back any features in a > manner consistent with source policy. The only conflicts were > related to enabling/disabling of modules, and semanage_set_root. > > Source Policy > This is a rebase of the old src-policy branch on top of the > reverted commits. The goal of these changes is to improve the API > for module handling, add support for source policies, module > priorities, enabling/disabling of modules, and moving the policy > store from /etc/selinux/<store>/ to /var/lib/selinux/<store>/. > > CIL Integration > These changes build CIL into libsepol, and updates libsepol, > libsemanage, semodule, and semanage to work with and understand CIL > files and manage /var/lib/selinux and /etc/selinux. Switching to > CIL has a few side effects, such as removing base modules, > versions, and upgrades. > > This also adds a new tool (installed to > /usr/libexec/selinux/hll/pp), which is an HLL compiler that > converts binary pp modules to CIL. The infrastructure to use this > compiler (or any other HLL compiler) was added to compile HLL > modules to CIL, which is accomplished by writing the HLL data to > the stdin of the compiler and reading the equivilent CIL from > stdout. The resulting CIL is then cached in the policy store so > this compilation does not need to take place during future store > updates. Cached CIL modules can be ignored using a new semodule > flag (-C/--ignore-cache) or a new configuration option in > semanage.conf (ignore-cache). Other configuration options were > added to semanage.conf to manage the path to HLL compilers > (compiler-directory) and the policy store (store-root). Semodule > was also modified to support changing the policy store with the > -S/--store-root option. > > Lastly, the CIL integration changes required changes to the API, > but symbolic versioning was used to maintain ABI compatibility. > Because of this, the .so version is no longer incremented like in > the previous version of this RFC. > > With these changes, it is possible to build and manage SELinux > policy using pp and CIL modules and the familiar semodule/semanage > tools. > > To make this easier to experiment with and test, below are the steps > needed to install the updated userspace and migrate a minimal Fedora 20 > installation to the new policy store. > > Thanks, and we look forward to any questions/comments. > > - Steve > > [1] http://marc.info/?l=selinux&m=138921403805934&w=2 > [2] https://github.com/SELinuxProject/cil/wiki > [3] http://marc.info/?l=selinux&m=139878606630921&w=2 > > > Steps to Install SELinux Userspace with source policy, CIL, and HLL > > # Start with a fresh Fedora 20-x86_64 Mimimal Installation > > # Install SELinux userspace dependencies > $ yum install audit-libs-devel bison bzip2-devel dbus-devel > dbus-glib-devel flex flex-static gcc git glib2-devel libcap-ng-devel > libcgroup-devel libsepol-static pcre-devel python-devel python-IPy > setools-devel swig ustr-devel > > # Update to the latest targeted policy > $ yum update selinux-policy-targeted > > # Clone the repos and checkout branches > $ git clone -b integration https://github.com/SELinuxProject/selinux.git > $ git clone -b master https://github.com/SELinuxProject/cil.git > > # Create a symlink to the cil repo so CIL can be built into libsepol > $ ln -s ~/cil/ selinux/libsepol/cil > > # Install SELinux userspace with CIL integration and HLL support > $ make -C selinux LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap > > # Migrate to the new source policy infrastructure > $ ./selinux/libsemanage/utils/semanage_migrate_etc_to_var.py > > # List the installed modules, showing priority and HLL > $ semodule --list=full valgrind memcheck reports some issues: # valgrind --leak-check=full setsebool -P httpd_can_network_connect=1 ==10089== Memcheck, a memory error detector ==10089== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==10089== Using Valgrind-3.9.0 and LibVEX; rerun with -h for copyright info ==10089== Command: setsebool -P httpd_can_network_connect=1 ==10089== ==10089== Conditional jump or move depends on uninitialised value(s) ==10089== at 0x511F50A: semanage_compile_hll (direct_api.c:937) ==10089== by 0x511FD97: semanage_direct_commit (direct_api.c:1071) ==10089== by 0x512DF59: semanage_commit (handle.c:426) ==10089== by 0x4019C2: semanage_set_boolean_list (setsebool.c:206) ==10089== by 0x401C48: setbool (setsebool.c:271) ==10089== by 0x40161A: main (setsebool.c:94) ==10089== (still running, may be more...) _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
