[Rpm-maint] [PATCH 11/19] Parse new policy requires header and check policy dependencies

Steve Lawrence slawrence at tresys.com
Thu Mar 4 21:32:53 UTC 2010


On Thu, 2010-03-04 at 12:56 +0200, Panu Matilainen wrote:
> On Tue, 2 Feb 2010, Steve Lawrence wrote:
> 
> > After a policy set has been prepared (rpmpolsPrepare), a call to
> > rpmpolsCheckDeps will determine if PolicyReuqires: dependencies are met.
> > This function only checks against packages currently installed.
> >
> > Also, PolicyRequires are merged into Requires, so if normal dependency
> > checks pass, we know the PolicyRequries packages will be installed by the
> > end of the transaction.
> 
> The policy/module dependencies seem strangely familiar to me... obsoletes, 
> conflicts and requires. It should be possible to map them to the existing 
> dependency information, adding a parallel set of selinux (or anything else 
> for that matter) specific dependencies looks like road to madness to me.
> 
> Here's an idea, related to the pseudo-package issue too:
> 
> Instead of creating a parallel universe of dependencies and 
> pseudo-packages, turn the policy/module bits into transaction elements and 
> have them processed business as usual. Something in the lines of: detect 
> the presence of selinux modules in a package in rpmtsAddInstallElement() 
> create a header of the policy bits and add another transaction 
> element for it. That way the dependencies etc will get processed along 
> with everything else, instead of requiring a whole new set of things.
> 
> Or so the theory goes - sure it's going to need various enhancements here 
> and there, such as probably a new element type-bit so added policies would 
> be something like (TR_ADDED|TR_POLICY) and filter in various places etc.
> 
> And actually the case of pseudo-package generation here is a sub-case of 
> more generic "package(s) within a package" idiom which comes up every now 
> and then. If the policy parts were stored (at package build-time) in a 
> header of their own, nested inside the main package header (a header is 
> just binary data and headers can contain such data), 
> rpmtsAddInstallElement() could basically just grab the policy header and 
> call itself to add another element from it, no need for runtime 
> transformations of dependency and other data.

Another interesting idea that we'll have to give a bit more thought. But
it seems like a nice compromise between using rpm's PRCO with separate
policy packages, but still have them hidden from the users.

> Again, so the theory goes. I've no doubt various internals will need 
> tweaking to make it possible in practise.
> 
> BTW one very real issue with storing policies in headers (nested or not) 
> is that the header size is currently capped at 16MB, and people are 
> already hitting that limit occasionally. It takes a huge number of files 
> to reach that, but adding arbitrary amount of selinux modules into the 
> header is not going to do anything to help. The limit needs raising sooner 
> than later anyway, but packages with headers bigger than 16MB will be 
> unreadable by every rpm currently deployed, and there's no way to add a 
> nice little feature-tracking dependency for it.
> 
>  	- Panu -


More information about the Rpm-maint mailing list