zondag 12 juli 2009

Policy development: optional policy

If you have looked into source policy you might have noticed optional policy blocks of policy in the type enforcement source policy files. Optional policy is used to make policy modular.

If you call a interface in your policy module that is hosted by another policy module then your module is dependent on that other module. If you decide to de-install the policy module that hosts the interface that you called in your policy module than your policy will no longer be able to build. This is because you're calling shared policy that no longer exists.

To avoid these dependencies, optional policy block are used.

Let's look at some examples:

http://oss.tresys.com/projects/refpolicy/browser/trunk/policy/modules/apps/mozilla.te

On line 244 to line 246 there is an optional policy block defined with policy that is borrowed from the gnome policy module.
This can determined since the interface is prefixed by the name (gnome) of the policy module that hosts the interface that is called by mozilla.

The interface facilitates permissions that allows firefox to connect to a unix stream socket that is owned by gnome gconf.

The interface is defined here:

http://oss.tresys.com/projects/refpolicy/browser/trunk/policy/modules/apps/gnome.if
(line 38 to line 55)

Let's use the semodule command to list both mozilla and gnome modules:

# semodule -l | grep gnome

gnome 2.0.0
gnomeclock 1.0.0

# semodule -l | grep mozilla
mozilla 2.0.1

We should be able to de-install both modules without getting into dependency troubles. If i decide to de-install the gnome module then the gnome_stream_connect_gconf interface becomes unavailable since it is defined in the gnome policy module that i just de-installed.

If we would have called gnome_stream_connect_gconf(mozilla_t) without using the optional policy block than we would run into trouble if we tried to de-install the gnome module. The compiler would complain about missing dependencies.

You should note that not all policy comes as a stand alone module. Some policies are not optional and they go into a single policy module called base.
As a rule keep in mind that if you can list a module with the semodule command then it can be de-installed.

If you borrow shared policy from another (optional) policy module then remember to place it into the optional policy block. For example all policy borrowed from gnome module can be placed into a optional policy block for gnome policy.

http://oss.tresys.com/projects/refpolicy/browser/trunk/policy/modules/apps/mozilla.te
(line 225 to line 227)

These are two interfaces that are hosted by the apache policy module. Both interfaces can go into a single optional policy block since both interfaces are dependent on the same apache module.

Geen opmerkingen:

Een reactie plaatsen