[Rpm-maint] [PATCH 04/19] Add new %policy section to the spec file format
Panu Matilainen
pmatilai at laiskiainen.org
Fri Mar 5 15:09:20 UTC 2010
On Thu, 4 Mar 2010, Steve Lawrence wrote:
>>>
>>> After each %module directive can be zero or more options, specified in
>>> the same format as Preamble tags. The current options are:
>>>
>>> Base: Whether or not the module is a base module. Values can be
>>> yes/1 or no/0. Defaults to no/0 if not given.
>>>
>>> Name: The name of the module. If not given, we assume the name is
>>> the basename of the module file with file extensions removed
>>
>> Are the cases where the basename of the module can be different from the
>> modules internal name in practise? If so, ok... but do use a different
>> keyword for it, "Name" gets easily mixed up with the actual package name
>> tag.
>
> In practice, the basename and module name are the same, but this has
> never been a requirement before. We'll have to make sure adding that
> requirement doesn't break anything, but it doesn't look like it should
> be a problem, allowing us to drop the Name option altogether.
Actually... the module already knows its name, right? Why does rpm need to
store it separately? And the same goes for type, base and pretty much all
of this: the module should contain that information (if it already
doesn't), and if rpm needs to know something about a module, it should be
able to ask for that information form a selinux library.
The less rpm knows about selinux, the better it is for everybody. As of
now, it knows the bare possible minimum: it knows about file contexts and
how to set them when laying down files on disk. What we're talking about
here is making it possible to ship selinux modules in packages, and that
as such is a perfectly sensible and reasonable goal to me.
My main beef with these patches is that they attach far too many strings
between selinux and rpm - rpm's business is to manage packages, not
selinux. I think right now we should all stand back a bit and figure the
big picture out first: what are the things you want to ultimately achieve
here, what of it actually belongs to rpm and what doesn't, and only then
start shuffling with the details of how to achieve that in a way that
makes sense for everybody. Oh and I do owe you Tresys folks an apology: I
should've said this a long long time ago. I assumed we'd just start
discussing this thing, and frankly was struck dumb by this pile of patches
which I certainly weren't expecting and wasn't prepared to digest at the
time. So I've been mulling over and over this thing and intending to start
commenting tomorrow, tomorrow, next week, next week... :-/
But to get back to the business: my view of this is that in order to
support selinux modules inside packages, all rpm would need to know about
selinux modules is
1) At build time, the selinux module files need to be identified as they
need to be stored specially (ie in package metadata to be able to
extract them in pre-transaction stage). Hook for validating the
policies seems fine - rpm already does various tests for package
content sanity when building.
2) In the transaction machinery, rpm needs to identify the packages
containing modules, ask selinux which (if any) of the modules in each
package are appropriate for the system configuration, and hand those to
semanage to deal with.
Rpm packages shouldn't have to know anything at all about base modules,
specific policy types and whatnot, it just needs to be able to determine
which of the modules fits the system configuration and hand it to semanage
to deal with. I'd guess you don't want a
semanage_lookup_a_suitable_module_from_this_list_for_me_please() function
in the selinux libs :) but just having a way to query the policy types
from the system & modules should do (pythonisque pseudo-code but I hope
you get the idea)
poltype = selinux_getpolicytype()
for mod in package_modules:
if selinux_getmoduletype(mod) == poltype:
# add module to semanage transaction
The point: the selinux specific information is stored and handled in the
selinux layer where it IMO belongs, rpm is little else than a dumb
messenger who wants yes/no answers. And that's the direction I would
like to see this development go.
- Panu -
More information about the Rpm-maint
mailing list