Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove dependency on make and selinux-policy-devel in selinux::module #141

Closed
ericcolruyt opened this issue Dec 19, 2016 · 6 comments
Closed

Remove dependency on make and selinux-policy-devel in selinux::module #141

ericcolruyt opened this issue Dec 19, 2016 · 6 comments
Labels
enhancement New feature or request

Comments

@ericcolruyt
Copy link

Affected Puppet, Ruby, OS and module versions/distributions

  • Puppet: 4.x
  • Ruby:
  • Distribution: RHEL7
  • Module version:

How to reproduce (e.g Puppet code you use)

The requirement on make for compiling a .te file to .pp is not really needed.
Doing
/usr/bin/checkmodule -M -m -o ${prefix}${name}.mod ${prefix}${name}.te && /usr/bin/semodule_package -o ${prefix}${name}.pp -m ${prefix}${name}.mod && rm -f ${prefix}${name}.mod
is sufficient.

This prevents make to be installed on the system, which is something that we want to avoid.
@vinzent
Copy link
Contributor

vinzent commented Dec 19, 2016

what about interfaces and macros from /usr/share/selinux/devel - are they available with the manual procedure?

@ericcolruyt
Copy link
Author

That directory doesn't exist on a minimal installation (only policycoreutils-python are extra installed).

What are they needed for ?

@vinzent
Copy link
Contributor

vinzent commented Dec 20, 2016

very simple selinux policy:

policy_module(puppet_selinux_test_policy, 1.0.0)

gen_tunable(puppet_selinux_test_policy_bool, false)

type puppet_selinux_test_policy_t;
type puppet_selinux_test_policy_exec_t;
init_daemon_domain(puppet_selinux_test_policy_t, puppet_selinux_test_policy_exec_t)

it fails to compile at the checkmodule command:

#> /usr/bin/checkmodule -M -m -o puppet_selinux_test_policy.mod puppet_selinux_test_policy.te
/usr/bin/checkmodule:  loading policy configuration from puppet_selinux_test_policy.te
puppet_selinux_test_policy.te:1:ERROR 'Building a policy module, but no module specification found.
' at token 'policy_module' on line 1:


/usr/bin/checkmodule:  error(s) encountered while parsing configuration

example selinux policies: https://github.com/TresysTechnology/refpolicy-contrib/blob/master
https://github.com/TresysTechnology/refpolicy/wiki/GettingStarted

@vinzent
Copy link
Contributor

vinzent commented Jan 17, 2017
edited
Loading

@ericcolruyt what do you think about something like:

# only minimal:
selinux::module { 'mymodule':
  builder => 'minimal',
  source_te => 'puppet:///modules/profile/mymodule.te',
} 

# this will install additional required packages
selinux::module { 'mymodule':
  ensure => 'present',
  builder => 'makefile', # DEFAULT 
  source_te => 'puppet:///modules/profile/mymodule.te',
  source_if => 'puppet:///modules/profile/mymodule.if',
  source_fc => 'puppet:///modules/profile/mymodule.fc',
} 

# no compiling at all
selinux::module { 'mymodule':
  source_pp => 'puppet:///modules/profile/mymodule.pp',
} 

selinux::module { 'mymodule':
  ensure => 'absent',
}

if you feel this is important for you please comment in the next few days.

@vinzent vinzent added the enhancement New feature or request label Jan 17, 2017
@vinzent
Copy link
Contributor

vinzent commented Jan 17, 2017

superseded by #178 - closing this.

@vinzent vinzent closed this as completed Jan 17, 2017
@ericcolruyt
Copy link
Author

@vinzent Looks good to me. Good idea to also include the possibility to work with a compiled module.

I will follow further in #178.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vinzent @ericcolruyt