I got a mess when both policy and policy sources got upgraded.

[Aleksey Nogin <aleksey nogin org>]

Just filed https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=118604 :

1) I installed policy-sources (which required installing the policy 
package as well).
2) I modified /etc/security/selinux/src/policy/users (to include myself 
with appropriate staff roles) and started using the locally augmented 
policy.
3) After a while, I ran "up2date -u" which picked up that both policy 
and policy-sources need to be updated.
4) up2date -u upgraded the policy package.

!!! At this point, the default policy got installed and loaded,
!!! overriding the local changes. All the processes that were running in
!!! context aleksey:staff_r:staff_t became system_u:object_r:unlabeled_t

5) Later in the up2date -u, the policy-source package was upgraded, the 
new locally-augmented policy got rebuilt and loaded and things got back 
to normal. But the mis-labeled processes stayed mislabeled (which caused 
some files to become mislabeled too).

P.S. At a minimum, the policy files in the policy package should be 
%config(noreplace). But the best solution would be to _only_ one package 
that would include all the source files and would always do the 
make-and-install-and-reload on upgrade.

P.P.S Sticking with just one (source-based) policy package would also 
make it easier to implement the RFE in 
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=118571 .

--
Aleksey Nogin

Home Page: http://nogin.org/
E-Mail: nogin cs caltech edu (office), aleksey nogin org (personal)
Office: Jorgensen 70, tel: (626) 395-2907