[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SELinux Module Packaging in FC5



Stephen John Smoogen wrote:
On 5/16/06, Paul Howarth <paul city-fan org> wrote:
Stephen Smalley wrote:
> On Tue, 2006-03-14 at 10:29 +0000, Paul Howarth wrote:
>> Is there any documentation anywhere on including SELinux Policy Modules >> in packages (e.g. for Extras) in FC5? For instance, is there a directory
>> where modules can be dropped into so that they get picked up
>> aotomatically? Where should they live?
>


This rather defeats the purpose of having the separate -policy package,
since I need to use restorecon to fix the file contexts at post-install
time in case both packages are installed in the same transaction (a
likely scenario). I could do this equally well using a single package,
but it's untidy (I have to specify the pathnames that need non-standard
contexts in both the .fc policy file and as an argument to restorecon in
%post). I really prefer the separate package solution, but I think that
would need changes in rpm, which might be hard to get done.

Any thoughts?


An ugly ugly ugly fix might be to have a triggerpost that does a
restorecon/setcon on the files when the parent package is installed.
That way it ensures the package is reset correctly. Again ugly and
might not work.

For now I've merged the two packages back into one and am using restorecon in %post after semodule to fix up the context.

Next problem:

I built and tested the package on one system, which was fully up to date. Worked fine. Then tried installing the package on other system that was running an older kernel and had older libsepol and selinux-policy-targeted packages. The result was:

# rpm -Uvh contagged-0.3-2.noarch.rpm
Preparing... ########################################### [100%] 1:contagged warning: /etc/httpd/conf.d/contagged.conf created as /etc/httpd/conf.d/contagged.conf.rpmnew
########################################### [100%]
libsepol.class_copy_callback: contagged: Modules may not yet declare new classes.
libsemanage.semanage_link_sandbox: Link packages failed
/usr/sbin/semodule:  Failed!
# rpm -q selinux-policy-targeted libsepol libsemanage
selinux-policy-targeted-2.2.34-3.fc5
libsepol-1.12.4-1.fc5
libsemanage-1.6.2-2.fc5

After doing a "yum update" on this system, the package installed cleanly.

Is this a result of the required feature being missing from one of these (or some other) packages, or is a compiled .pp module compatible only with the specific version of something it was built against?

Is there some way of specifying the necessary dependency in the package containing the binary policy module, or is it so volatile (like a kernel module for instance) that the best bet would be to ship policy sources and build them in %post?

Paul.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]