[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: SELinux Module Packaging in FC5

From: Stephen Smalley <sds tycho nsa gov>
To: Paul Howarth <paul city-fan org>
Cc: Stephen John Smoogen <smooge gmail com>, Daniel J Walsh <dwalsh redhat com>, SELinux-dev tresys com, fedora-selinux-list redhat com
Subject: Re: SELinux Module Packaging in FC5
Date: Tue, 16 May 2006 12:30:25 -0400

On Tue, 2006-05-16 at 16:56 +0100, Paul Howarth wrote:
> Next problem:
> 
> I built and tested the package on one system, which was fully up to 
> date. Worked fine. Then tried installing the package on other system 
> that was running an older kernel and had older libsepol and 
> selinux-policy-targeted packages. The result was:
> 
> # rpm -Uvh contagged-0.3-2.noarch.rpm
> Preparing...                ########################################### 
> [100%]
>     1:contagged              warning: /etc/httpd/conf.d/contagged.conf 
> created as /etc/httpd/conf.d/contagged.conf.rpmnew
> ########################################### [100%]
> libsepol.class_copy_callback: contagged: Modules may not yet declare new 
> classes.
> libsemanage.semanage_link_sandbox: Link packages failed
> /usr/sbin/semodule:  Failed!
> # rpm -q selinux-policy-targeted libsepol libsemanage
> selinux-policy-targeted-2.2.34-3.fc5
> libsepol-1.12.4-1.fc5
> libsemanage-1.6.2-2.fc5
> 
> After doing a "yum update" on this system, the package installed cleanly.
> 
> Is this a result of the required feature being missing from one of these 
> (or some other) packages, or is a compiled .pp module compatible only 
> with the specific version of something it was built against?

I'm confused - I thought you said that the policy package only contained
a file contexts section, not a policy module.  Was there a policy
module?  If so, what was the source?  The above looks like a bug to me.

The receiving system has to have a libsepol that understands the policy
package format and module format, which are versioned, but the above
doesn't appear to be a format issue.  There is a pending change in the
module format, but you will be able to tell checkmodule to generate the
older format as well, and libsepol provides backward compatibility for
older formats.

> Is there some way of specifying the necessary dependency in the package 
> containing the binary policy module, or is it so volatile (like a kernel 
> module for instance) that the best bet would be to ship policy sources 
> and build them in %post?

No, they are intended to allow separate building and distribution.

-- 
Stephen Smalley
National Security Agency

Follow-Ups:
- Re: SELinux Module Packaging in FC5
  - From: Paul Howarth

References:
- Re: SELinux Module Packaging in FC5
  - From: Paul Howarth
- Re: SELinux Module Packaging in FC5
  - From: Stephen John Smoogen
- Re: SELinux Module Packaging in FC5
  - From: Paul Howarth

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]