[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: SELinux Module Packaging in FC5

From: Paul Howarth <paul city-fan org>
To: Stephen John Smoogen <smooge gmail com>
Cc: Daniel J Walsh <dwalsh redhat com>, SELinux-dev tresys com, fedora-selinux-list redhat com
Subject: Re: SELinux Module Packaging in FC5
Date: Tue, 16 May 2006 16:56:25 +0100

Stephen John Smoogen wrote:

On 5/16/06, Paul Howarth <paul city-fan org> wrote:

Stephen Smalley wrote:
> On Tue, 2006-03-14 at 10:29 +0000, Paul Howarth wrote:
>> Is there any documentation anywhere on including SELinux PolicyModules>> in packages (e.g. for Extras) in FC5? For instance, is there adirectory
>> where modules can be dropped into so that they get picked up
>> aotomatically? Where should they live?
>


This rather defeats the purpose of having the separate -policy package,
since I need to use restorecon to fix the file contexts at post-install
time in case both packages are installed in the same transaction (a
likely scenario). I could do this equally well using a single package,
but it's untidy (I have to specify the pathnames that need non-standard
contexts in both the .fc policy file and as an argument to restorecon in
%post). I really prefer the separate package solution, but I think that
would need changes in rpm, which might be hard to get done.

Any thoughts?


An ugly ugly ugly fix might be to have a triggerpost that does a
restorecon/setcon on the files when the parent package is installed.
That way it ensures the package is reset correctly. Again ugly and
might not work.

For now I've merged the two packages back into one and am usingrestorecon in %post after semodule to fix up the context.


Next problem:

I built and tested the package on one system, which was fully up todate. Worked fine. Then tried installing the package on other systemthat was running an older kernel and had older libsepol andselinux-policy-targeted packages. The result was:


# rpm -Uvh contagged-0.3-2.noarch.rpm

Preparing... ###########################################[100%]1:contagged warning: /etc/httpd/conf.d/contagged.confcreated as /etc/httpd/conf.d/contagged.conf.rpmnew

########################################### [100%]

libsepol.class_copy_callback: contagged: Modules may not yet declare newclasses.

libsemanage.semanage_link_sandbox: Link packages failed
/usr/sbin/semodule:  Failed!
# rpm -q selinux-policy-targeted libsepol libsemanage
selinux-policy-targeted-2.2.34-3.fc5
libsepol-1.12.4-1.fc5
libsemanage-1.6.2-2.fc5

After doing a "yum update" on this system, the package installed cleanly.

Is this a result of the required feature being missing from one of these(or some other) packages, or is a compiled .pp module compatible onlywith the specific version of something it was built against?

Is there some way of specifying the necessary dependency in the packagecontaining the binary policy module, or is it so volatile (like a kernelmodule for instance) that the best bet would be to ship policy sourcesand build them in %post?


Paul.

Follow-Ups:
- Re: SELinux Module Packaging in FC5
  - From: Stephen Smalley

References:
- Re: SELinux Module Packaging in FC5
  - From: Paul Howarth
- Re: SELinux Module Packaging in FC5
  - From: Stephen John Smoogen

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]