From: guido@trentalancia.net (Guido Trentalancia) Date: Fri, 16 Dec 2016 23:47:16 +0100 Subject: [refpolicy] [PATCH v2] Do not keep disabled modules during new policy load In-Reply-To: <1481908711.2610.16.camel@trentalancia.net> References: <1481831671.24835.1.camel@trentalancia.net> <1481835895.24835.3.camel@trentalancia.net> <1481908711.2610.16.camel@trentalancia.net> Message-ID: <1481928436.3283.2.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, 16/12/2016 at 18.18 +0100, Guido Trentalancia via refpolicy wrote: > Hello Christopher ! > > On Thu, 15/12/2016 at 19.31 -0500, Chris PeBenito wrote: > > > > On 12/15/16 16:04, Guido Trentalancia via refpolicy wrote: > > > > > > > > > When loading a new modular policy, remove all policy modules that > > > have been previously loaded but have now been explicitly > > > disabled. > > > > > > If the batch removal process fails, for example because one or > > > more > > > enabled modules depend on one or more modules to be removed, > > > remove > > > each module separately (much slower but most effective). > > > > The policy makefiles were never meant to do this.??The targets for? > > loading modules are just for convenience, and not meant to add > > another? > > layer of policy management to what we already have with > > semodule/semanage. > > Even if originally it was not designed to provide such facility, it > is > never too late to offer something more to the user. > > Generally speaking, one would probably expect that the "load" target > only loads modules that are enabled in the policy/modules.conf file > and > not modules that are disabled... > > By the way, after removing several modules that I do not use, I came > across some strange behaviour of the system, so I wonder if you have > any idea of what is actually going on. > > The system became unstable due to several permission denied errors > and > it seems like parts of the policy have not been loaded, despite > "semodule -l" shows that the relevant modules are there. I found that part of the problem was due to the removal of the "unconfined" domain. > For example: > > #?sesearch -t xsession_exec_t -c file -p entrypoint -Ad But, even after re-enabling the unconfined domain, other permissions such as the one above are not found, despite the relevant policy modules have been loaded (in this case the xserver module). > shows nothing, while it should show the result of calling the > xserver_xsession_entry_type() interface > from?xserver_restricted_role() > which is called by xserver_role() as usual ! > > Another example is as follows. Despite the domain module is loaded > because "semodule -l" shows that the base is loaded, the following > command: > > #?sesearch -s domain -c file -Ad > > only shows: > > Found 5 semantic av rules: > ???allow domain ld_so_t : file { ioctl read getattr execute open } ;? > ???allow domain ld_so_cache_t : file { ioctl read getattr lock open } > ;? > ???allow domain cpu_online_t : file { ioctl read getattr lock open } > ;? > ???allow domain lib_t : file { ioctl read getattr execute open } ;? > ???allow domain textrel_shlib_t : file { ioctl read getattr execute > execmod open } ;? > > while I believe is should at least show other "domain self:file" > permissions. > > Do you know what is actually going on after I removed the unused > modules ? They were all optional stuff that it is not installed on > the > system... > > > > > > > > > Signed-off-by: Guido Trentalancia > > > --- > > > ?Rules.modular |????6 +++++- > > > ?1 file changed, 5 insertions(+), 1 deletion(-) > > > > > > diff -pru a/Rules.modular b/Rules.modular > > > --- a/Rules.modular 2016-12-15 19:23:50.693731447 +0100 > > > +++ b/Rules.modular 2016-12-15 20:40:42.482313515 +0100 > > > @@ -21,6 +21,7 @@ base_post_te_files := $(user_files) $(po > > > ?base_fc_files := $(base_mods:.te=.fc) > > > > > > ?mod_pkgs := $(addprefix $(builddir),$(notdir > > > $(mod_mods:.te=.pp))) > > > +off_mod_names := $(basename $(off_mods)) > > > > > > ?# policy packages to install > > > ?instpkg := $(addprefix $(modpkgdir)/,$(notdir $(base_pkg)) > > > $(mod_pkgs)) > > > @@ -48,7 +49,9 @@ install: $(instpkg) $(appfiles) > > > > > > ?######################################## > > > ?# > > > -# Load all configured modules > > > +# Load all configured modules and remove > > > +# all modules that have been explicitly > > > +# disabled > > > ?# > > > ?load: $(instpkg) $(appfiles) > > > ?# make sure two directories exist since they are not > > > @@ -56,6 +59,7 @@ load: $(instpkg) $(appfiles) > > > ? @echo "Loading configured modules." > > > ? @$(INSTALL) -d -m 0755 $(policypath) $(dir $(fcpath)) > > > ? $(verbose) $(SEMODULE) -s $(NAME) -i > > > $(modpkgdir)/$(notdir > > > $(base_pkg)) $(foreach mod,$(mod_pkgs),-i $(modpkgdir)/$(mod)) > > > + -$(verbose) $(SEMODULE) -s $(NAME) -r $(foreach > > > offmod,$(off_mod_names),$(offmod)) || $(foreach > > > offmod,$(off_mod_names),$(SEMODULE) -s $(NAME) -r $(offmod);) > > > > > > ?######################################## > > > ?# Regards, Guido