I got a quick info how to start writing policy for OpenLMI providers, see below. Please try so for you providers and send AVCs to Mirek Grepl.
I can only add: 0.1: Install necessary packages # yum install selinux-policy-devel
0.2: read /usr/share/doc/tog-pegasus-2.12.1/README.RedHat.Security
0.3: based on the document above: # cp /usr/share/doc/tog-pegasus-2.12.1/cmpiOSBase_OperatingSystemProvider-cimprovagt.example /usr/libexec/pegasus/<yourprovider>-cimprovagt (and package the file)
# chmod 755 /usr/libexec/pegasus/<yourprovider>-cimprovagt
Jan
-------- Original Message -------- Subject: how to get a policy for openlmi-* Date: Wed, 29 May 2013 10:16:36 +0200 From: Miroslav Grepl mgrepl@redhat.com To: jsafrane@redhat.com
1. create own policy for a provider
# cat mypol.te policy_module(mypol,1.0)
pegasus_openlmi_domain_template(providername)
and run
# make -f /usr/share/selinux/devel/Makefile mypol.pp # semodule -i mypol.pp # chcon -t pegasus_openlmi_providername_exec_t PATH_TO/providername
test it and run
# ausearch -m avc -ts recent
and send me AVC msgs.
For example we define in the policy
pegasus_openlmi_domain_template(account)
If you want to activate the policy for this account provider, you need to run
# chcon -t pegasus_openlmi_account_exec_t /usr/libexec/pegasus/cmpiLMI_Account-cimprovagt
On 05/29/2013 12:33 PM, Jan Safranek wrote:
I got a quick info how to start writing policy for OpenLMI providers, see below. Please try so for you providers and send AVCs to Mirek Grepl.
I can only add: 0.1: Install necessary packages # yum install selinux-policy-devel
0.2: read /usr/share/doc/tog-pegasus-2.12.1/README.RedHat.Security
0.3: based on the document above: # cp /usr/share/doc/tog-pegasus-2.12.1/cmpiOSBase_OperatingSystemProvider-cimprovagt.example /usr/libexec/pegasus/<yourprovider>-cimprovagt (and package the file)
# chmod 755 /usr/libexec/pegasus/<yourprovider>-cimprovagt
Umm, OpenLMI storage and software providers are written in python, which means they both use 'pyCmpiProvider' as the provider name and thus should share their SELinux policy.
Of course, that's not what we want, we want separate policies for these providers.
One option would be to change cimprovagt and Pegasus CIMOM to include also some other identifier (e.g. PG_ProviderModule.Name) on cimprovagt command line, thus our cimprovagt wrapper knows, which real cimprovagt to run. But this would require changes in Pegasus.
Alternatively, we can create libpyCmpiLMI_Software.so and libpyCmpiLMI_Storage.so as symlinks to libpyCmpiProvider.so. In this case, we just need to change our registration files and package the new symlinks. Is it acceptable solution?
Jan
On 06/25/2013 04:56 PM, Jan Safranek wrote:
Alternatively, we can create libpyCmpiLMI_Software.so and libpyCmpiLMI_Storage.so as symlinks to libpyCmpiProvider.so. In this case, we just need to change our registration files and package the new symlinks. Is it acceptable solution?
Hi, I like this solution.
RR
On Tue, 25 Jun 2013 16:56:59 +0200 Jan Safranek jsafrane@redhat.com wrote:
Alternatively, we can create libpyCmpiLMI_Software.so and libpyCmpiLMI_Storage.so as symlinks to libpyCmpiProvider.so. In this case, we just need to change our registration files and package the new symlinks. Is it acceptable solution?
It's not really "pretty" but it's simple and if it works... Let's do that.
Regards,
On 06/25/2013 04:56 PM, Jan Safranek wrote:
Alternatively, we can create libpyCmpiLMI_Software.so and libpyCmpiLMI_Storage.so as symlinks to libpyCmpiProvider.so. In this case, we just need to change our registration files and package the new symlinks. Is it acceptable solution?
If there are no objections, I'll add attached README.SELinux to cmpi-providers-pywbem.rpm and implement suggested adjustments in next release of openlmi-storage.rpm.
All changes are Fedora downstream only, upstream is not affected.
Jan
On 06/27/2013 10:11 AM, Jan Safranek wrote:
On 06/25/2013 04:56 PM, Jan Safranek wrote:
Alternatively, we can create libpyCmpiLMI_Software.so and libpyCmpiLMI_Storage.so as symlinks to libpyCmpiProvider.so. In this case, we just need to change our registration files and package the new symlinks. Is it acceptable solution?
If there are no objections, I'll add attached README.SELinux to cmpi-providers-pywbem.rpm and implement suggested adjustments in next release of openlmi-storage.rpm.
All changes are Fedora downstream only, upstream is not affected.
Argh, scratch all this, I had misconfigured Pegasus. Pegasus passes PG_ProviderModule.ModuleGroupName to cimprovagt, which is different for OpenLMI storage and software providers, therefore no magic symlinks are needed.
Jan
openlmi-devel@lists.stg.fedorahosted.org