Mailing List Archive: RFC: Improving support for (re)labeling packages when SELinux dependency is added

RFC: Improving support for (re)labeling packages when SELinux dependency is added

Aug 21, 2014, 11:13 AM

Post #1 of 5 (2071 views)

During a discussion about dependencies and SELinux labeling, I noticed that
we might want to improve how we currently handle pure policy-related
dependencies.

What we want to get at, is that the installation of a SELinux policy package
results in the (re)labeling of the files of the packages it holds policy
data (well, file contexts to be exact) of.

What we currently do is a subset of that: when a package is installed, its
associated SELinux policy package is merged before the package itself, so
that Portage can correctly label the files of the package. This means both a
DEPEND (has to be installed before the package) and RDEPEND (because of
binary packages) is used.

This doesn't implement what we really need fully though: updates on the
SELinux policy do not reflect upon the labels of the packages if they are
already installed. For instance, if we would change the label of the
"emerge" command in the policy, then this label is not applied unless the
administrator rebuilds Portage, relabels Portage or relabels the file
system.

This also means that we currently abuse the Portage dependency system to
accomplish a reasonable implementation. So... why not see how we can fix
things?

It would be nice if we could only mark the dependencies are RDEPEND, and in
the policy installation phase (its pkg_postinst() method) find out what
package(s) are RDEPEND'ing on this package, and then relabel the files of
those packages.

Something like so (which we can do in the selinux-policy-2.eclass):

pkg_postinst() {
# Find all packages with this package in their RDEPEND
PKGSET=$(equery -q depends ${CATEGORY}/${PN})
for PKG in ${PKGSET};
do
rlpkg ${PKG};
done
}

This simple implementation would allow us to only use RDEPEND, and would
also relabel the files after a policy update (which we don't do now) and
also doesn't require any changes to Portage or EAPI or whatever and does not
trigger any unnecessary rebuilds...

... but (there is always a but) uses a currently optional tool (equery)
which is probably also quite slow for some users. Still, I do like this
idea as it is very simple. And I like simple. Simple is nice.

Anyone know of a way to do something similar without depending on equery (it
doesn't seem like portageq has the necessary features for this)?

Anyone know of a better approach?

Wkr,
Sven Vermeulen

Re: RFC: Improving support for (re)labeling packages when SELinux dependency is added [ In reply to ]

jason at perfinion

Aug 21, 2014, 11:42 AM

Post #2 of 5 (2016 views)

Permalink

On Thu, Aug 21, 2014 at 06:13:01PM +0000, Sven Vermeulen wrote:
> During a discussion about dependencies and SELinux labeling, I noticed that
> we might want to improve how we currently handle pure policy-related
> dependencies.
>
> What we want to get at, is that the installation of a SELinux policy package
> results in the (re)labeling of the files of the packages it holds policy
> data (well, file contexts to be exact) of.
>
> What we currently do is a subset of that: when a package is installed, its
> associated SELinux policy package is merged before the package itself, so
> that Portage can correctly label the files of the package. This means both a
> DEPEND (has to be installed before the package) and RDEPEND (because of
> binary packages) is used.
>
> This doesn't implement what we really need fully though: updates on the
> SELinux policy do not reflect upon the labels of the packages if they are
> already installed. For instance, if we would change the label of the
> "emerge" command in the policy, then this label is not applied unless the
> administrator rebuilds Portage, relabels Portage or relabels the file
> system.

This is currently a fairly important issue, I end up just manually running
"restorecon -r /" a lot to update labels after things are fixed in the
policy which should not be required.

What comes up a lot is someone installs a new version of a program and
then sees it needs some different selinux rules which would then take a
wihle to get down to stable but by then all users are on the new version
so as it is now would not get the new labels.

> This also means that we currently abuse the Portage dependency system to
> accomplish a reasonable implementation. So... why not see how we can fix
> things?
>
> It would be nice if we could only mark the dependencies are RDEPEND, and in
> the policy installation phase (its pkg_postinst() method) find out what
> package(s) are RDEPEND'ing on this package, and then relabel the files of
> those packages.

I would ideally like the deps to go the other way since I think they are
more like the policy "provides" things for those packages, not that
those packages "depend" on the policy. But as I am not aware of a way to
express this in portage, RDEPEND is fine.

> Something like so (which we can do in the selinux-policy-2.eclass):
>
> pkg_postinst() {
> # Find all packages with this package in their RDEPEND
> PKGSET=$(equery -q depends ${CATEGORY}/${PN})
> for PKG in ${PKGSET};
> do
> rlpkg ${PKG};
> done
> }

This looks like it would work apart from the optional equery. What about
if the user does not want something relabelled after updating if they
have special circumstances? We might want a way to say don't touch this
package I'll do it myself. Alternatively the user would just have to set
it in semange fcontext and it'll be fine.

-- Jason

> This simple implementation would allow us to only use RDEPEND, and would
> also relabel the files after a policy update (which we don't do now) and
> also doesn't require any changes to Portage or EAPI or whatever and does not
> trigger any unnecessary rebuilds...
>
> ... but (there is always a but) uses a currently optional tool (equery)
> which is probably also quite slow for some users. Still, I do like this
> idea as it is very simple. And I like simple. Simple is nice.
>
> Anyone know of a way to do something similar without depending on equery (it
> doesn't seem like portageq has the necessary features for this)?
>
> Anyone know of a better approach?
>
> Wkr,
> Sven Vermeulen
>

Re: RFC: Improving support for (re)labeling packages when SELinux dependency is added [ In reply to ]

swift at gentoo

Aug 21, 2014, 11:46 AM

Post #3 of 5 (2029 views)

Permalink

On Thu, Aug 21, 2014 at 10:42:21PM +0400, Jason Zaman wrote:
> > Something like so (which we can do in the selinux-policy-2.eclass):
> >
> > pkg_postinst() {
> > # Find all packages with this package in their RDEPEND
> > PKGSET=$(equery -q depends ${CATEGORY}/${PN})
> > for PKG in ${PKGSET};
> > do
> > rlpkg ${PKG};
> > done
> > }
>
> This looks like it would work apart from the optional equery. What about
> if the user does not want something relabelled after updating if they
> have special circumstances? We might want a way to say don't touch this
> package I'll do it myself. Alternatively the user would just have to set
> it in semange fcontext and it'll be fine.

Do you have a specific situation in mind? As far as I see, the relabeling is
an almost mandatory step (even right now). What users can (and should) do if
they don't want the default labels is to define their own labels and policy,
and in those cases the relabeling operation (by rlpkg) will be correct
anyway (as it uses the SELinux context definitions on the system).

Wkr,
Sven Vermeulen

Re: RFC: Improving support for (re)labeling packages when SELinux dependency is added [ In reply to ]

mschiff at gentoo

Aug 25, 2014, 3:57 PM

Post #4 of 5 (2029 views)

Permalink

* Sven Vermeulen schrieb am 21.08.14 um 20:13 Uhr:
>During a discussion about dependencies and SELinux labeling, I noticed that
>we might want to improve how we currently handle pure policy-related
>dependencies.
>
>What we want to get at, is that the installation of a SELinux policy package
>results in the (re)labeling of the files of the packages it holds policy
>data (well, file contexts to be exact) of.
>
>What we currently do is a subset of that: when a package is installed, its
>associated SELinux policy package is merged before the package itself, so
>that Portage can correctly label the files of the package. This means both a
>DEPEND (has to be installed before the package) and RDEPEND (because of
>binary packages) is used.
>
>This doesn't implement what we really need fully though: updates on the
>SELinux policy do not reflect upon the labels of the packages if they are
>already installed. For instance, if we would change the label of the
>"emerge" command in the policy, then this label is not applied unless the
>administrator rebuilds Portage, relabels Portage or relabels the file
>system.
>
>This also means that we currently abuse the Portage dependency system to
>accomplish a reasonable implementation. So... why not see how we can fix
>things?
>
>It would be nice if we could only mark the dependencies are RDEPEND, and in
>the policy installation phase (its pkg_postinst() method) find out what
>package(s) are RDEPEND'ing on this package, and then relabel the files of
>those packages.
>
>Something like so (which we can do in the selinux-policy-2.eclass):
>
>pkg_postinst() {
> # Find all packages with this package in their RDEPEND
> PKGSET=$(equery -q depends ${CATEGORY}/${PN})
> for PKG in ${PKGSET};
> do
> rlpkg ${PKG};
> done
>}
>
>This simple implementation would allow us to only use RDEPEND, and would
>also relabel the files after a policy update (which we don't do now) and
>also doesn't require any changes to Portage or EAPI or whatever and does not
>trigger any unnecessary rebuilds...
>
>... but (there is always a but) uses a currently optional tool (equery)
>which is probably also quite slow for some users. Still, I do like this
>idea as it is very simple. And I like simple. Simple is nice.
>
>Anyone know of a way to do something similar without depending on equery (it
>doesn't seem like portageq has the necessary features for this)?
>
>Anyone know of a better approach?

It may be more likely that user have app-portage/portage-utils
installed and the package is much smaller (6.4M vs 130k). Apart from
that, qdepends is *much* faster:

pkg_postinst() {
# Find all packages with this package in their RDEPEND
PKGSET=$(qdepends -rCQ ${CATEGORY}/${PN})
for PKG in ${PKGSET};
do
rlpkg ${PKG};
done
}

anyway, a DEPEND on app-portage/portage-utils should not hurt too
much (IMO).

-Marc

--
0x35A64134 - 8AAC 5F46 83B4 DB70 8317
3723 296C 6CCA 35A6 4134

Re: RFC: Improving support for (re)labeling packages when SELinux dependency is added [ In reply to ]

jason at perfinion

Aug 26, 2014, 3:39 PM

Post #5 of 5 (2018 views)

Permalink

On Thu, Aug 21, 2014 at 06:46:37PM +0000, Sven Vermeulen wrote:
> On Thu, Aug 21, 2014 at 10:42:21PM +0400, Jason Zaman wrote:
> > > Something like so (which we can do in the selinux-policy-2.eclass):
> > >
> > > pkg_postinst() {
> > > # Find all packages with this package in their RDEPEND
> > > PKGSET=$(equery -q depends ${CATEGORY}/${PN})
> > > for PKG in ${PKGSET};
> > > do
> > > rlpkg ${PKG};

I tested it just now and its working fine for me :)

rlpkg can take many packages on the commandline at once which is easier
and likely faster than a for loop.
I replaced the loop with:
if [ x"${PKGSET}" != "x" ]; then
rlpkg ${PKGSET};
fi

We may also want to grep -v "sec-policy/selinux-", they all depend on
base-policy so it has a lot of relabelling which is probably not needed.

Also, I noticed some parts of the eclass use "if [" and some use "if [[",
being more consistent would probably be good.

> > > done
> > > }
> >
> > This looks like it would work apart from the optional equery. What about
> > if the user does not want something relabelled after updating if they
> > have special circumstances? We might want a way to say don't touch this
> > package I'll do it myself. Alternatively the user would just have to set
> > it in semange fcontext and it'll be fine.
>
> Do you have a specific situation in mind? As far as I see, the relabeling is
> an almost mandatory step (even right now). What users can (and should) do if
> they don't want the default labels is to define their own labels and policy,
> and in those cases the relabeling operation (by rlpkg) will be correct
> anyway (as it uses the SELinux context definitions on the system).

Yeah it was mostly theoretical. I think its reasonable to say that a
user needs to use semanage fcontext instead of chcon. chcon would be
fine for temporary things or things not managed by portage (eg /home).

-- Jason

Mailing List Archive

Mailing List Archive

Attached Files: