Bug 193156

*** Bug 193155 has been marked as a duplicate of this bug. ***

Is anyone reviewing this request?

Dan

I don't believe so.  I looked at it, saw "replace hal/udev" and went "out of my
league".  I followed the URL in the spec and didn't see anything explanatory.

It's tough to do a review when you have absolutely no idea what the package is
supposed to be doing.

This package is required by the EAL4 LSPP Effort going on for RHEL5.  Basically
the requirement states that all device allocation for a use has to happen
manually by the user, and needs to be auditited.  So hal/udev combination can
not automatically setup a USB device or a rw-cdrom.  The user needs to do this
manually.

Steve could you further elaborate.

That functionality does seem pretty scary.  Can this not run in conjunction with
udev or hal?

The %files section looks a little weird.

%doc conf/dev_allocator.conf <-- no abs path?
leading slashes on %{_libdir}

and I think the manfile can be handled with mandir alias.

Also, do we really need the .a file?  We _really_ don't want things to link
statically, unless there is a specific need.

The LSPP security target states that no automatic labeling is to be done without
the administrator having done it. Dan's statement of replacing udev/hal is
somewhat misleading. We can use udev/hal for initial labeling, but we will have
to make the init script stop them when init is complete. When the system is
operational and ready for users to log in, device allocation must be done
manually. For example, you may want to designate a printer for secret documents.
Or change it to be Top Secret. We cannot have a hotplug event to come along and
change the level.

Regarding the review, we just need to make sure it conforms to FC/E guidelines.

Updated to fix above comments

Spec URL: ftp://people.redhat.com/dwalsh/SELinux/devallocator.spec
SRPM URL: ftp://people.redhat.com/dwalsh/SELinux/devallocator-0.5.4-2.src.rpm

Description: This package contains the devallocator tool which is required for
LSPP Conformance. When the system is operational and ready for users to log in,
device allocation must be done manually. For example, you may want to designate
a printer for secret documents. Or change it to be Top Secret. Hotplug events
cannot be allowed to change the level. dev_allocator is required to replace
hal/udev after system startable.  Removable Devices need to be manually
allocated by users in an MLS environment.  This tool allows for the auditing of
these events.  Automatic allocation of devices is not allowed in an LSPP
environment.

Requires(pre) should be Requires(preun)
Remove leading slash from /%{_libdir}/libdevallocation.so

and /%{_libdir}/libdevallocation.so.*
and /%{_libdir}/devallocation/*
and /usr/share/devallocation/*

Fails to build on x86_64 as the install installs stuff to /usr/lib rather than
/usr/lib64.  This will need to be fixed.

Applied this fixes and fixed to build on x86_64.

Spec URL: ftp://people.redhat.com/dwalsh/SELinux/devallocator.spec
SRPM URL: ftp://people.redhat.com/dwalsh/SELinux/devallocator-0.5.4-4.src.rpm

RPMLINT just has to say:
E: devallocator non-standard-executable-perm /usr/bin/dev_allocator 04755
E: devallocator setuid-binary /usr/bin/dev_allocator root 04755
W: devallocator-devel no-documentation
W: devallocator no-reload-entry /etc/rc.d/init.d/devallocator
W: devallocator service-default-enabled /etc/rc.d/init.d/devallocator

The first two should be addressed or mentioned whats going on, the first warning
is somewhat ignorable, same with the second error (although a reload would be
nice), and do we want this service enabled by default?

Updated to latest upstream version, but I think we are going to pull this from
Extras and just build it for RHEL5.  Since it really is not for general use on
non MLS Machines.

Spec URL: ftp://people.redhat.com/dwalsh/SELinux/devallocator.spec
SRPM URL: ftp://people.redhat.com/dwalsh/SELinux/devallocator-0.5.7-1.src.rpm

removing FE-REVIEW since this has been closed.