Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp356777pxb;
        Wed, 13 Jan 2021 05:34:56 -0800 (PST)
X-Google-Smtp-Source: ABdhPJwag1ZQ6zl7H4bDpBMJ4lUVLVJmy2SffJXqMAE46kB08wYkfan9hRauEbDKWVMTGwSP0qhG
X-Received: by 2002:a17:906:4348:: with SMTP id z8mr1608231ejm.371.1610544896154;
        Wed, 13 Jan 2021 05:34:56 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1610544896; cv=none;
        d=google.com; s=arc-20160816;
        b=E12WaTXcFxBWSZVDo8xZ5G7/jUjNSQIwVcKumZUccldQKDyu7FQ3XLBLcQW0KXNEVt
         8OumHv32oJW082c8IA6b/ddrmyrfciLigkry1xBYvSu/7wV9Nd/yE3VdMyaEsFRHCF1B
         ZvwFtjWee2/6Fdxb7VR0ts1Al3RLGA0A3xjukOSSqznfujVD91p1A6TYsJZp/08B+/KW
         sj0YOtgAulZ7keW29mob6qEDgDERR6fKhCYL/JITpdGA2y0EtbFnk5OdmXS5/OM13PYz
         k6+616g2EU1TAGjYzIr04k2OnUYgmoMz2OKKpgVgGxdZUqqF7LxEGXB57UHY4APwdKCT
         iuQQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:message-id:in-reply-to:date:references:subject:cc:to
         :from:dkim-signature:dkim-filter;
        bh=Tu3MzoFT5wpgp9VL06I/aVNezfQqm7gGMHJonxXZnGQ=;
        b=bVS3dAPdq74BWbHCLSDL8+HdfDC/tPrHv5YF8sIhEos4Wc2CLlNFb4/DHjbgCQDgvk
         4w0c0Dghg3l4XyH6Bc5+CWgTkbf3ZOqu4JdHDbVxSM9B7LJdz4M5t1uNc/Cab+JZXxc6
         G98lV0GroQ74zcPy9hJTPUKw19DIB/zBBY0eYuUMVDiWdAkskQlSsY8ZyeCFuALnTt9e
         HQxlU1rkGCAnvDLuK2N1Q3qBn96nyzQtsMY3h2RQJvVXGhEM7n08klrpjE5qaejpvbZV
         LGvUSkvxKJCkrPufjHb+QBEqg2Qe82ZCRN+S8+Ygt+bRDZj6CN5sJSMrAjrDdv3Qh7y6
         /sww==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@defensec.nl header.s=default header.b=l8WboY3d;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id p5si1052309edt.50.2021.01.13.05.34.51;
        Wed, 13 Jan 2021 05:34:56 -0800 (PST)
Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@defensec.nl header.s=default header.b=l8WboY3d;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1725809AbhAMNel (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 18 others); Wed, 13 Jan 2021 08:34:41 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53386 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725773AbhAMNel (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Wed, 13 Jan 2021 08:34:41 -0500
Received: from agnus.defensec.nl (agnus.defensec.nl [IPv6:2001:985:d55d::711])
        by lindbergh.monkeyblade.net (Postfix) with ESMTP id 2C6BDC061575
        for <selinux-refpolicy@vger.kernel.org>; Wed, 13 Jan 2021 05:34:00 -0800 (PST)
Received: from brutus (brutus.defensec.nl [IPv6:2001:985:d55d::438])
        by agnus.defensec.nl (Postfix) with ESMTPSA id 7ADC62A124E;
        Wed, 13 Jan 2021 14:33:56 +0100 (CET)
DKIM-Filter: OpenDKIM Filter v2.11.0 agnus.defensec.nl 7ADC62A124E
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=defensec.nl;
        s=default; t=1610544837;
        bh=Tu3MzoFT5wpgp9VL06I/aVNezfQqm7gGMHJonxXZnGQ=;
        h=From:To:Cc:Subject:References:Date:In-Reply-To:From;
        b=l8WboY3d4iMcsDDuMNt+3H0WWkU+CUYztS8mxo7ZIiaPCuK3SdEcVCopmHNEpFD1c
         l+S2bG3Lwrtds6f9wRQcarL4+0f+RHMWXiD4IO7UZb4rI1uQN6W2GNN07rla506rnk
         r7JrzRrExFfJ91k30YW4NjGqebzg08l1r0fKEGF8=
From:   Dominick Grift <dominick.grift@defensec.nl>
To:     Chris PeBenito <pebenito@ieee.org>
Cc:     Topi Miettinen <toiwoton@gmail.com>,
        Russell Coker <russell@coker.com.au>,
        refpolicy <selinux-refpolicy@vger.kernel.org>
Subject: Re: [RFC] Purging dead modules
References: <352607e8-2de0-fc71-8403-15942d65c837@ieee.org>
        <ypjl35z7fqf0.fsf@defensec.nl> <3283555.42QHSe7XtN@liv>
        <d138760c-2993-2079-c847-d7465fae2f7a@gmail.com>
        <86e9b2ce-22ab-3de2-25f9-8e2f485e88c8@ieee.org>
Date:   Wed, 13 Jan 2021 14:33:50 +0100
In-Reply-To: <86e9b2ce-22ab-3de2-25f9-8e2f485e88c8@ieee.org> (Chris PeBenito's
        message of "Wed, 13 Jan 2021 08:21:49 -0500")
Message-ID: <ypjlpn29dkqp.fsf@defensec.nl>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

Chris PeBenito <pebenito@ieee.org> writes:

> On 1/11/21 6:52 PM, Topi Miettinen wrote:
>> On 11.1.2021 17.48, Russell Coker wrote:
>>> On Tuesday, 12 January 2021 2:23:47 AM AEDT Dominick Grift wrote:
>>>>> I'm looking to remove modules for dead programs, such as hal and
>>>>> consolekit. The question is how long to keep modules for dead
>>>>> programs?=C2=A0 I'm thinking something like 3-5 years.
>>>>
>>>> Agree
>>>
>>> I think we should drop them when the programs aren't in the latest DEVE=
LOPMENT
>>> versions of Fedora, Debian, or any other distribution that supports SE =
Linux.
>> I think this could be automated. If no file contexts in a module
>> match any files in a list of all files of all packages of the
>> selected distros concatenated, the module is probably obsolete
>> (which could be also verified by looking at old releases) or it's
>> for 3rd party software (never found in earlier distro releases). I
>> tried to do this locally to disable unused modules, but it took way
>> too long time with shell scripts. I suppose with a database or other
>> proper tools it would be trivial.
>
> This is a good idea, but may be a problem for the Gentoo guys.
>
> I'd probably simplify it to only looking at labels for executables,
> since a package's manifest might not hit all of the data files'
> entries.

Not sure if it is worth the trouble to automate this. The list of candidate=
s I came up with
were also verified by just using `dnf whatprovides /usr/bin/app` to see
if it returns. Most modules though are still relevant and it's is pretty
obvious that they are still relevant. So I would argue that spending
half an hour perusing the refpolicy and looking for candidates, then
verifying is enough to atleast identify the most obvious candidates for
removal.

In reply to Russell Coker and kerneloops: Does kerneloops not depend on
kerneloops.org? AFAIK that site is offline so not sure how Debian still
expects kerneloops to still work?

--=20
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint =3D FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=3Dget&search=3D0xDA7E521F10F64098
Dominick Grift