On Fri, Mar 17, 2023 at 2:02 PM Stephen Smalley
<stephen.smalley.work@xxxxxxxxx> wrote:
>
> On Thu, Mar 9, 2023 at 9:41 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
> >
> > The check_ext_changes option currently assumes that as long as the
> > module content is unchanged, it is safe to assume that the policy.linked
> > file doesn't need to be rebuilt. However, there are some additional
> > parameters that can affect the content of this policy file, namely:
> > * the disable_dontaudit and preserve_tunables flags
> > * the target_platform and policyvers configuration values
> >
> > Include these in the checksum so that the option works correctly when
> > only some of these input values are changed versus the current state.
> >
> > Fixes: 286a679fadc4 ("libsemanage: optionally rebuild policy when modules are changed externally")
> > Signed-off-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
>
> Acked-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>
>
> Feel free to merge it.
Thanks, merged:
https://github.com/SELinuxProject/selinux/commit/a171ba62bbba891a8dce2239327b1d905f695b82
> I was wondering if we ought to somehow unify
> the logic around do_rebuild and check_ext_changes to ensure that an
> update to one is also reflected in the other but that can be done
> later. I don't think do_rebuild currently is set based on
> target_platform or policyvers, likely because we don't ever change the
> former and we only change the latter for libsepol upgrades that
> support newer kernel policy versions and the kernel will cheerfully
> accept the older policy versions (and the new policy version likely
> won't be leveraged until there is an actual change to a policy module
> to use some new feature).
Yeah, I may have gone a bit overboard with those two parameters, but I
wanted to be safe rather than sorry.
--
Ondrej Mosnacek
Senior Software Engineer, Linux Security - SELinux kernel
Red Hat, Inc.
