| 1 |
On Thu, Apr 13, 2017 at 12:02:24PM +0100, Robert Sharp wrote: |
| 2 |
> Is there a difference between policies that appear to be in core but |
| 3 |
> also have their own ebuilds? For example: selinux-ddclient versus |
| 4 |
> policy/modules/contrib/dnsmasq.* and selinux-ddclient versus |
| 5 |
> policy/modules/contrib/ddclient. I need to change both but when I tried |
| 6 |
> to change dnsmasq it started complaining bitterly about binding to |
| 7 |
> random ports, which is what dnsmasq does. |
| 8 |
|
| 9 |
Not sure i follow exactly what you're asking but lemme give a quick |
| 10 |
overview and see if it helps. |
| 11 |
|
| 12 |
- sec-policy/selinux-base |
| 13 |
This is the first package installed and everything else depends on it. |
| 14 |
It installs all the .if interface files that every other module uses to |
| 15 |
build. and also the base configs and stuff for /etc/selinux/ etc. |
| 16 |
It also *builds* but does not load base.pp into |
| 17 |
/usr/share/selinux/{strict,mcs,targeted}/base.pp |
| 18 |
as for what base actually is, its everything that is =base in |
| 19 |
policy/modules.conf in the repo |
| 20 |
|
| 21 |
hardened-refpolicy $ grep "= base" policy/modules.conf |
| 22 |
corecommands = base |
| 23 |
corenetwork = base |
| 24 |
devices = base |
| 25 |
domain = base |
| 26 |
files = base |
| 27 |
filesystem = base |
| 28 |
kernel = base |
| 29 |
mcs = base |
| 30 |
mls = base |
| 31 |
selinux = base |
| 32 |
terminal = base |
| 33 |
ubac = base |
| 34 |
|
| 35 |
- sec-policy/selinux-base-policy |
| 36 |
this builds the other "core" policies. there isnt really a definition |
| 37 |
for what is core but its pretty much things that depend on each other |
| 38 |
too much and are always needed but arnt required to be in base. |
| 39 |
|
| 40 |
if you look in the -base-policy ebuild, you see the line: |
| 41 |
MODS="application authlogin bootloader clock consoletype cron dmesg fstools getty hostname hotplug init iptables libraries locallogin logging lvm miscfiles modutils mount mta netutils nscd portage raid rsync selinuxutil setrans ssh staff storage su sysadm sysnetwork tmpfiles udev userdomain usermanage unprivuser xdg" |
| 42 |
(and also systemd module behind a USE-flag) |
| 43 |
|
| 44 |
the selinux-base-policy ebuild will build all those modules and then at |
| 45 |
the end it basically does semodule -i base.pp ${MODS} to load everything |
| 46 |
from -base and -base-policy |
| 47 |
|
| 48 |
- sec-policy/selinux-foo |
| 49 |
these packages build and load just the module that is in the MODS= line |
| 50 |
in the ebuild. its almost always the same as the name as the package but |
| 51 |
thats not a requirement or anything. |
| 52 |
|
| 53 |
just because these things are not sec-policy/selinux-base{,-policy} |
| 54 |
doesnt mean they all come from the /contrib/ dir inside the repo, there |
| 55 |
are several things that are outside cthats not a requirement or |
| 56 |
anything. eg: selinux-xserver's files are from services/xserver.{te,if,fc} |
| 57 |
|
| 58 |
|
| 59 |
> Just to be absolutely clear, I expect that there is a versioning |
| 60 |
> difference because I have pulled the latest from the git repository but |
| 61 |
> I am using stable ebuilds, but I don't expect that this is the difference? |
| 62 |
|
| 63 |
the versions should be exactly the same for all the sec-policy/selinux-* |
| 64 |
packages yeah. |
| 65 |
|
| 66 |
So if you end up updating stuff in the .if files then you'll have to |
| 67 |
rebuild selinux-base so your system gets the new interfaces then you |
| 68 |
gotta rebuild just the modules you were messing around with. |
| 69 |
or you can do emerge @selinux-rebuild and it'll do all of them if you're |
| 70 |
lazy. |
| 71 |
|
| 72 |
Hope this makes some of the magic a little clearer, |
| 73 |
-- Jason |
Archives