From: guido@trentalancia.net (Guido Trentalancia) Date: Fri, 16 Dec 2016 18:18:31 +0100 Subject: [refpolicy] [PATCH v2] Do not keep disabled modules during new policy load In-Reply-To: References: <1481831671.24835.1.camel@trentalancia.net> <1481835895.24835.3.camel@trentalancia.net> Message-ID: <1481908711.2610.16.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello Christopher ! On Thu, 15/12/2016 at 19.31 -0500, Chris PeBenito wrote: > On 12/15/16 16:04, Guido Trentalancia via refpolicy wrote: > > > > When loading a new modular policy, remove all policy modules that > > have been previously loaded but have now been explicitly disabled. > > > > If the batch removal process fails, for example because one or more > > enabled modules depend on one or more modules to be removed, remove > > each module separately (much slower but most effective). > > The policy makefiles were never meant to do this.??The targets for? > loading modules are just for convenience, and not meant to add > another? > layer of policy management to what we already have with > semodule/semanage. Even if originally it was not designed to provide such facility, it is never too late to offer something more to the user. Generally speaking, one would probably expect that the "load" target only loads modules that are enabled in the policy/modules.conf file and not modules that are disabled... By the way, after removing several modules that I do not use, I came across some strange behaviour of the system, so I wonder if you have any idea of what is actually going on. The system became unstable due to several permission denied errors and it seems like parts of the policy have not been loaded, despite "semodule -l" shows that the relevant modules are there. For example: #?sesearch -t xsession_exec_t -c file -p entrypoint -Ad shows nothing, while it should show the result of calling the xserver_xsession_entry_type() interface from?xserver_restricted_role() which is called by xserver_role() as usual ! Another example is as follows. Despite the domain module is loaded because "semodule -l" shows that the base is loaded, the following command: #?sesearch -s domain -c file -Ad only shows: Found 5 semantic av rules: ???allow domain ld_so_t : file { ioctl read getattr execute open } ;? ???allow domain ld_so_cache_t : file { ioctl read getattr lock open } ;? ???allow domain cpu_online_t : file { ioctl read getattr lock open } ;? ???allow domain lib_t : file { ioctl read getattr execute open } ;? ???allow domain textrel_shlib_t : file { ioctl read getattr execute execmod open } ;? while I believe is should at least show other "domain self:file" permissions. Do you know what is actually going on after I removed the unused modules ? They were all optional stuff that it is not installed on the system... > > Signed-off-by: Guido Trentalancia > > --- > > ?Rules.modular |????6 +++++- > > ?1 file changed, 5 insertions(+), 1 deletion(-) > > > > diff -pru a/Rules.modular b/Rules.modular > > --- a/Rules.modular 2016-12-15 19:23:50.693731447 +0100 > > +++ b/Rules.modular 2016-12-15 20:40:42.482313515 +0100 > > @@ -21,6 +21,7 @@ base_post_te_files := $(user_files) $(po > > ?base_fc_files := $(base_mods:.te=.fc) > > > > ?mod_pkgs := $(addprefix $(builddir),$(notdir $(mod_mods:.te=.pp))) > > +off_mod_names := $(basename $(off_mods)) > > > > ?# policy packages to install > > ?instpkg := $(addprefix $(modpkgdir)/,$(notdir $(base_pkg)) > > $(mod_pkgs)) > > @@ -48,7 +49,9 @@ install: $(instpkg) $(appfiles) > > > > ?######################################## > > ?# > > -# Load all configured modules > > +# Load all configured modules and remove > > +# all modules that have been explicitly > > +# disabled > > ?# > > ?load: $(instpkg) $(appfiles) > > ?# make sure two directories exist since they are not > > @@ -56,6 +59,7 @@ load: $(instpkg) $(appfiles) > > ? @echo "Loading configured modules." > > ? @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath)) > > ? $(verbose) $(SEMODULE) -s $(NAME) -i $(modpkgdir)/$(notdir > > $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod)) > > + -$(verbose) $(SEMODULE) -s $(NAME) -r $(foreach > > offmod,$(off_mod_names),$(offmod)) || $(foreach > > offmod,$(off_mod_names),$(SEMODULE) -s $(NAME) -r $(offmod);) > > > > ?######################################## > > ?# Regards, Guido