SELinux Module Packaging in FC5

Stephen Smalley sds at tycho.nsa.gov
Fri May 19 13:12:03 UTC 2006


On Thu, 2006-05-18 at 14:18 +0100, Paul Howarth wrote:
> Another query regarding policy module packages in RPMs:
> 
> Supposing a package is installed when the system has SELinux disabled.
> 
> What would happen if semodule was called to install a policy module?
> 
> If the result is that nothing happens (or semodule bombs out with an 
> error of some sort), what would then happen if the system subsequently 
> had SELinux enabled and the system was relabelled? Would the package 
> containing the policy module have to be reinstalled?
> 
> I'd try it myself but I can't bring myself to disable SELinux on any of 
> my boxes and go through the whole relabelling process.

If policy is installed on the system, then semodule (actually
libsemanage) will install the module and rebuild the generated files,
but will not try to load policy into the kernel since SELinux is
disabled.  Then, if you enable SELinux, the module will already be
included in the policy.

If policy is not installed on the system, then semodule will abort with
an error like this:
semodule:  SELinux policy is not managed or store cannot be accessed.

Note also that one should generally use semodule -s <policytype> as in
the selinux-policy .spec file to indicate which kind of policy your
module is built for (targeted, strict, mls).  Then, if the system is
running a different kind of policy, semodule will know to install the
module to the proper location (not the active policy) and to not try to
load it.

-- 
Stephen Smalley
National Security Agency




More information about the fedora-selinux-list mailing list