search

Richterrettich / rpm-rs

A pure rust library for building and parsing RPM's
Other
39 stars 18 forks source link

SELinux Policy files #18

Closed drahnr closed 3 years ago

drahnr commented 4 years ago

I am not quite sure how much work or intricacies this would add, but I would love to see support for policy files such that rpms created with policy files included (i.e. https://selinuxproject.org/page/RPM ) work just fine)

Not sure how much work this would be, I did not check the code just yet.

Richterrettich commented 4 years ago

This would be a good feature indeed if it is part of the original RPM feature set. We just need to figure out how those policies are stored in the index. I've personally never seen this feature before to be honest.

drahnr commented 3 years ago

Relevant changelog entries of rpm-4.15.1, which is the best documentation I found so far.

54042-commit edbc9ead961fcbeb1733b47405041b653b521bcb
54043-Author: Panu Matilainen <pmatilai@redhat.com>
54044-Date:   Fri Jun 26 12:31:57 2009 +0300
54045-
54046-    Base64-encode %policy files to ensure it can be presented as strings
54047:    - RPMTAG_POLICIES is a string array but there's no guarantee that
54048-      something marked %policy is a plaintext file that can be represented
54049-      as \0-terminated string, base64-encoding them fixes that. Baby steps
54050-      towards making %policy remotely usable, related to RhBug:505066.
54051-    - Also remove unnecessary failure code setting, processMetadataFile()
54052-      assumes failure already, and dont try to insert NULL strings in case
54053-      b64encode() or pgpArmorWrap() fails
45374-commit 383e27564853fd4c387ca1d4a69f223140a0daca
45375-Author: Steve Lawrence <slawrence@tresys.com>
45376-Date:   Mon Aug 30 16:32:29 2010 -0400
45377-
45378-    Add new %sepolicy section to the spec file format
45379-    
45380-    The %sepolicy section is used to describe SELinux policy to be included
45381-    in a package. It's syntax is similar to other sections (%files, %pre,
45382-    %post, etc.) in that you can provide a string and -n after the
45383-    declaration to specify policy should be added to a subpackage.
45384-    
45385-    For example:
45386-    
45387-    %sepolicy
45388-     # policy in this section will be added to the main package
45389-    
45390-    %sepolicy foo
45391-     # policy in this section will be added to the '<mainpackage>-foo' subpackage
45392-    
45393-    %sepolicy -n bar
45394-     # policy in this section will be added to the 'bar' subpackage
45395-    
45396-    The %sepolicy section contains zero or more %semodule directives, with the
45397-    following format:
45398-    
45399-    %semodule [OPTIONS] path/to/module.pp
45400-    
45401-    The available options are:
45402-    
45403-    -b, --base
45404-            The module is a base module
45405-    
45406-    -n, --name=NAME
45407-            The name of the module. If not given, assumes the name is the basename of
45408-            the module file with file extensions removed.
45409-    
45410-    -t, --types=TYPES
45411-            One or more comma-separated strings specifying which policy types the
45412-            module can work with. To explicitly state that a module can work with any
45413-            policy type, "default" can be specified as the value. If not specified,
45414-            assumes the module can work with any policy type, and assigns the types as
45415-            "default".
45416-    
45417-    Below is an example of this new format:
45418-    
45419-      %sepolicy
45420-      %semodule -n foo -t mls policy/foo.pp
45421-      %semodule -n bar -t strict,targeted,mls -b policy/bar.pp
45422-    
45423-    This also adds new header tags to store the new information:
45424-     RPMTAG_POLICYNAMES        (string array)
45425-     RPMTAG_POLICYTYPES        (string array)
45426-     RPMTAG_POLICYTYPESINDEXES (uint32 array)
45427-     RPMTAG_POLICYFLAGS        (uint32 array)
45428-    
45429:    The index of NAMES and FLAGS maps directly to the index of RPMTAG_POLICIES.
45430-    However, because a single policy can have multiple types, the mapping for
45431-    TYPES is not direct. For this, the index maps to TYPESINDEXES, which
45432-    contains the index of the policy that the type maps to. This is similar to
45433-    how DIRINDEXES is used to map DIRNAMES and BASENAMES. As an example, the
45434-    previous %sepolicy section would have the following header tags:
45435-    
45436:    RPMTAG_POLICIES:
45437-     0: <foo.pp data, base64 encoded>
45438-     1: <bar.pp data, base64 encoded>
45439-    
45440-    RPMTAG_POLICYNAMES:
45441-     0: foo
45442-     1: bar
45443-    
45444-    RPMTAG_POLICYFLAGS:
45445-     0: 0
45446-     1: 1   # assumes flag 1 == BASE
45447-    
45448-    RPMTAG_POILCYTYPES:        RPMTAG_POLICYTYPESINDEXES:
45449-     0: mls                     0: 0
45450-     1: strict                  1: 1
45451-     2: targeted                2: 1
45452-     3: mls                     3: 1
drahnr commented 3 years ago

https://github.com/rpm-software-management/rpm/issues/1319#issuecomment-673392751 at this point it's questionable whether supporting this worth it.

Richterrettich commented 3 years ago

IMHO we should wait for Upstream to make a move. If they pick this up at some point in time, we should implement this. But until then, it would be better to leave it out of our API for the moment.

Let's mark it as "One of the cryptic features of RPM that nobody should use" for the moment.

drahnr commented 3 years ago

Since there is no use for that header content, and there are no plans for upstream to use that (and even if, it would be re-implemented differently) it's kind of pointless. Closing.