SELinux Module Packaging in FC5

Paul Howarth paul at city-fan.org
Tue May 16 15:56:25 UTC 2006


Stephen John Smoogen wrote:
> On 5/16/06, Paul Howarth <paul at city-fan.org> wrote:
>> Stephen Smalley wrote:
>> > On Tue, 2006-03-14 at 10:29 +0000, Paul Howarth wrote:
>> >> Is there any documentation anywhere on including SELinux Policy 
>> Modules
>> >> in packages (e.g. for Extras) in FC5? For instance, is there a 
>> directory
>> >> where modules can be dropped into so that they get picked up
>> >> aotomatically? Where should they live?
>> >
> 
>>
>> This rather defeats the purpose of having the separate -policy package,
>> since I need to use restorecon to fix the file contexts at post-install
>> time in case both packages are installed in the same transaction (a
>> likely scenario). I could do this equally well using a single package,
>> but it's untidy (I have to specify the pathnames that need non-standard
>> contexts in both the .fc policy file and as an argument to restorecon in
>> %post). I really prefer the separate package solution, but I think that
>> would need changes in rpm, which might be hard to get done.
>>
>> Any thoughts?
>>
> 
> An ugly ugly ugly fix might be to have a triggerpost that does a
> restorecon/setcon on the files when the parent package is installed.
> That way it ensures the package is reset correctly. Again ugly and
> might not work.

For now I've merged the two packages back into one and am using 
restorecon in %post after semodule to fix up the context.

Next problem:

I built and tested the package on one system, which was fully up to 
date. Worked fine. Then tried installing the package on other system 
that was running an older kernel and had older libsepol and 
selinux-policy-targeted packages. The result was:

# rpm -Uvh contagged-0.3-2.noarch.rpm
Preparing...                ########################################### 
[100%]
    1:contagged              warning: /etc/httpd/conf.d/contagged.conf 
created as /etc/httpd/conf.d/contagged.conf.rpmnew
########################################### [100%]
libsepol.class_copy_callback: contagged: Modules may not yet declare new 
classes.
libsemanage.semanage_link_sandbox: Link packages failed
/usr/sbin/semodule:  Failed!
# rpm -q selinux-policy-targeted libsepol libsemanage
selinux-policy-targeted-2.2.34-3.fc5
libsepol-1.12.4-1.fc5
libsemanage-1.6.2-2.fc5

After doing a "yum update" on this system, the package installed cleanly.

Is this a result of the required feature being missing from one of these 
(or some other) packages, or is a compiled .pp module compatible only 
with the specific version of something it was built against?

Is there some way of specifying the necessary dependency in the package 
containing the binary policy module, or is it so volatile (like a kernel 
module for instance) that the best bet would be to ship policy sources 
and build them in %post?

Paul.




More information about the fedora-selinux-list mailing list