[Rpm-maint] [PATCH 04/19] Add new %policy section to the spec file format

Panu Matilainen pmatilai at laiskiainen.org
Fri Mar 5 15:09:20 UTC 2010


On Thu, 4 Mar 2010, Steve Lawrence wrote:
>>>
>>> After each %module directive can be zero or more options, specified in
>>> the same format as Preamble tags. The current options are:
>>>
>>> Base:      Whether or not the module is a base module. Values can be
>>>           yes/1 or no/0. Defaults to no/0 if not given.
>>>
>>> Name:      The name of the module. If not given, we assume the name is
>>>           the basename of the module file with file extensions removed
>>
>> Are the cases where the basename of the module can be different from the
>> modules internal name in practise? If so, ok... but do use a different
>> keyword for it, "Name" gets easily mixed up with the actual package name
>> tag.
>
> In practice, the basename and module name are the same, but this has
> never been a requirement before. We'll have to make sure adding that
> requirement doesn't break anything, but it doesn't look like it should
> be a problem, allowing us to drop the Name option altogether.

Actually... the module already knows its name, right? Why does rpm need to 
store it separately? And the same goes for type, base and pretty much all 
of this: the module should contain that information (if it already 
doesn't), and if rpm needs to know something about a module, it should be 
able to ask for that information form a selinux library.

The less rpm knows about selinux, the better it is for everybody. As of 
now, it knows the bare possible minimum: it knows about file contexts and 
how to set them when laying down files on disk. What we're talking about 
here is making it possible to ship selinux modules in packages, and that 
as such is a perfectly sensible and reasonable goal to me.

My main beef with these patches is that they attach far too many strings 
between selinux and rpm - rpm's business is to manage packages, not 
selinux. I think right now we should all stand back a bit and figure the 
big picture out first: what are the things you want to ultimately achieve 
here, what of it actually belongs to rpm and what doesn't, and only then 
start shuffling with the details of how to achieve that in a way that 
makes sense for everybody. Oh and I do owe you Tresys folks an apology: I 
should've said this a long long time ago. I assumed we'd just start 
discussing this thing, and frankly was struck dumb by this pile of patches 
which I certainly weren't expecting and wasn't prepared to digest at the 
time. So I've been mulling over and over this thing and intending to start 
commenting tomorrow, tomorrow, next week, next week... :-/

But to get back to the business: my view of this is that in order to 
support selinux modules inside packages, all rpm would need to know about 
selinux modules is

1) At build time, the selinux module files need to be identified as they
    need to be stored specially (ie in package metadata to be able to
    extract them in pre-transaction stage). Hook for validating the
    policies seems fine - rpm already does various tests for package
    content sanity when building.
2) In the transaction machinery, rpm needs to identify the packages
    containing modules, ask selinux which (if any) of the modules in each
    package are appropriate for the system configuration, and hand those to
    semanage to deal with.

Rpm packages shouldn't have to know anything at all about base modules, 
specific policy types and whatnot, it just needs to be able to determine 
which of the modules fits the system configuration and hand it to semanage 
to deal with. I'd guess you don't want a 
semanage_lookup_a_suitable_module_from_this_list_for_me_please() function 
in the selinux libs :) but just having a way to query the policy types 
from the system & modules should do (pythonisque pseudo-code but I hope 
you get the idea)

     poltype = selinux_getpolicytype()
     for mod in package_modules:
        if selinux_getmoduletype(mod) == poltype:
            # add module to semanage transaction

The point: the selinux specific information is stored and handled in the 
selinux layer where it IMO belongs, rpm is little else than a dumb 
messenger who wants yes/no answers. And that's the direction I would 
like to see this development go.

 	- Panu -








More information about the Rpm-maint mailing list