Bug 193156 - Review Request: devallocator
Review Request: devallocator
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: David Cantrell
Fedora Package Reviews List
:
: 193155 (view as bug list)
Depends On:
Blocks: 197170
  Show dependency treegraph
 
Reported: 2006-05-25 14:09 EDT by Daniel Walsh
Modified: 2013-01-09 22:48 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-07-13 15:43:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Daniel Walsh 2006-05-25 14:09:14 EDT
Spec URL: ftp://people.redhat.com/dwalsh/SELinux/devallocator.spec
SRPM URL: ftp://people.redhat.com/dwalsh/SELinux/devallocator-0.5.4-1.src.rpm

Description: This package contains the devallocator tool which is required for MLS Conformance. dev_allocator is required to replace hal/udev.  Removable Devices need to be manually allocated by users in an MLS environment.  This tool allows for the auditing of these events.  Automatic allocation of devices is not allowed in an LSPP environment.

This package replaces the previous request for mlsutils.
Comment 1 Brian Pepple 2006-05-25 14:29:54 EDT
*** Bug 193155 has been marked as a duplicate of this bug. ***
Comment 2 Daniel Walsh 2006-06-07 16:48:46 EDT
Is anyone reviewing this request?

Dan
Comment 3 Jason Tibbitts 2006-06-07 22:43:38 EDT
I don't believe so.  I looked at it, saw "replace hal/udev" and went "out of my
league".  I followed the URL in the spec and didn't see anything explanatory.

It's tough to do a review when you have absolutely no idea what the package is
supposed to be doing.
Comment 4 Daniel Walsh 2006-06-08 10:43:33 EDT
This package is required by the EAL4 LSPP Effort going on for RHEL5.  Basically
the requirement states that all device allocation for a use has to happen
manually by the user, and needs to be auditited.  So hal/udev combination can
not automatically setup a USB device or a rw-cdrom.  The user needs to do this
manually.

Steve could you further elaborate.
Comment 5 Jesse Keating 2006-06-08 10:53:28 EDT
That functionality does seem pretty scary.  Can this not run in conjunction with
udev or hal?

The %files section looks a little weird.

%doc conf/dev_allocator.conf <-- no abs path?
leading slashes on %{_libdir}

and I think the manfile can be handled with mandir alias.

Also, do we really need the .a file?  We _really_ don't want things to link
statically, unless there is a specific need.
Comment 6 Steve Grubb 2006-06-08 11:22:37 EDT
The LSPP security target states that no automatic labeling is to be done without
the administrator having done it. Dan's statement of replacing udev/hal is
somewhat misleading. We can use udev/hal for initial labeling, but we will have
to make the init script stop them when init is complete. When the system is
operational and ready for users to log in, device allocation must be done
manually. For example, you may want to designate a printer for secret documents.
Or change it to be Top Secret. We cannot have a hotplug event to come along and
change the level.

Regarding the review, we just need to make sure it conforms to FC/E guidelines.
Comment 7 Daniel Walsh 2006-06-08 11:57:04 EDT
Updated to fix above comments

Spec URL: ftp://people.redhat.com/dwalsh/SELinux/devallocator.spec
SRPM URL: ftp://people.redhat.com/dwalsh/SELinux/devallocator-0.5.4-2.src.rpm

Description: This package contains the devallocator tool which is required for
LSPP Conformance. When the system is operational and ready for users to log in,
device allocation must be done manually. For example, you may want to designate
a printer for secret documents. Or change it to be Top Secret. Hotplug events
cannot be allowed to change the level. dev_allocator is required to replace
hal/udev after system startable.  Removable Devices need to be manually
allocated by users in an MLS environment.  This tool allows for the auditing of
these events.  Automatic allocation of devices is not allowed in an LSPP
environment.
Comment 8 Jesse Keating 2006-06-14 15:27:43 EDT
Requires(pre) should be Requires(preun)
Remove leading slash from /%{_libdir}/libdevallocation.so

and /%{_libdir}/libdevallocation.so.*
and /%{_libdir}/devallocation/*
and /usr/share/devallocation/*

Fails to build on x86_64 as the install installs stuff to /usr/lib rather than
/usr/lib64.  This will need to be fixed.
Comment 9 Daniel Walsh 2006-06-19 10:56:55 EDT
Applied this fixes and fixed to build on x86_64.

Spec URL: ftp://people.redhat.com/dwalsh/SELinux/devallocator.spec
SRPM URL: ftp://people.redhat.com/dwalsh/SELinux/devallocator-0.5.4-4.src.rpm
Comment 10 Jesse Keating 2006-06-28 21:40:54 EDT
RPMLINT just has to say:
E: devallocator non-standard-executable-perm /usr/bin/dev_allocator 04755
E: devallocator setuid-binary /usr/bin/dev_allocator root 04755
W: devallocator-devel no-documentation
W: devallocator no-reload-entry /etc/rc.d/init.d/devallocator
W: devallocator service-default-enabled /etc/rc.d/init.d/devallocator

The first two should be addressed or mentioned whats going on, the first warning
is somewhat ignorable, same with the second error (although a reload would be
nice), and do we want this service enabled by default?
Comment 11 Daniel Walsh 2006-07-13 15:42:30 EDT
Updated to latest upstream version, but I think we are going to pull this from
Extras and just build it for RHEL5.  Since it really is not for general use on
non MLS Machines.

Spec URL: ftp://people.redhat.com/dwalsh/SELinux/devallocator.spec
SRPM URL: ftp://people.redhat.com/dwalsh/SELinux/devallocator-0.5.7-1.src.rpm
Comment 12 Kevin Fenzi 2006-12-21 22:42:34 EST
removing FE-REVIEW since this has been closed. 

Note You need to log in before you can comment on or make changes to this bug.