[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: Not good

From: Daniel J Walsh <dwalsh redhat com>
To: "Fedora SELinux support list for users & developers." <fedora-selinux-list redhat com>
Subject: Re: Not good
Date: Mon, 05 Apr 2004 17:11:05 -0400

Gene Czarcinski wrote:

On Monday 05 April 2004 10:40, Chris Ricker wrote:
On Sat, 3 Apr 2004, Jeff Johnson wrote:

All rpm tools have this problem, as one of the two big lies in rpm is All-or-nothing behavior when installing packages. That lie is true iff packages are perfect. That is very much not the case during a development cycle with an importatnt paradigm shift like selinux.

I don't see the selinux policy issues as being any different than, say,
# mount -o remount,ro /usr
# yum update
<massive fun ensues>
#
People have lived with that for years, they'll learn to live with similar situations due to selinux configs....
I agree but ... we need to understand what the "rules" are with respect to selinux related packages. When things get screwed up, how do we unscrew them. I did not know that the active policy had to be named policy.<version> so when the file was named "policy." I thought it was OK. If I had known, it was a quick fix to rename it to "policy.16".

I do believe that the policy packages needs some work:

1. Cannot be built in a private build tree (this possibly caused the "policy." problem which is fixed in 1.9.2-11 ... we will see if it builds in the private tree by a regular user).

This is a bug caused by the user being unable to read policy_config_t files (file_context)

2. When policy is installed, it loads the policy it just installed ... OK, sounds reasonable. But, if you then install/update policy-sources, it causes the policy to be rebuilt from source and reloaded again! Why?

We are going to rework the make file to build all supported policy versions. The problem is that the kernels are supporting newer versions of policy, but you can select older kernels which will cause crashes. So if we need to build policy.15 and 16 now and soon 17 ...

3. From what I see, there is no reason to have the policy package at all since policy-sources will build the needed files (except for /etc/security/{default_contexts,default_type,failsafe_context} and they could be in policy-sources too.

The problem is that policy-sources requires additional packages, checkpolicy, m4, make ... and it is considered that minimal installs don't need all that stuff. We have just made a change to link up policy-sources to policy, So you can install policy alone, but once you install policy-sources you will be required to install an updated policy file, so they should work in lockstep, Also if you have updated policy files users, tunables. Then policy will not override them. The last problem is when the policy version changes (not the rpm version).

The fix above to build all supported policy versions should fix that.

Gene

-- fedora-selinux-list mailing list fedora-selinux-list redhat com http://www.redhat.com/mailman/listinfo/fedora-selinux-list

Follow-Ups:
- Re: Not good
  - From: Gene Czarcinski
- Re: Not good
  - From: David Caplan

References:
- Not good
  - From: Gene Czarcinski
- Re: Not good
  - From: Jeff Johnson
- Re: Not good
  - From: Chris Ricker
- Re: Not good
  - From: Gene Czarcinski

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]