Not good

Daniel J Walsh dwalsh at redhat.com
Mon Apr 5 21:11:05 UTC 2004 

Gene Czarcinski wrote:

>On Monday 05 April 2004 10:40, Chris Ricker wrote:
>  
>
>>On Sat, 3 Apr 2004, Jeff Johnson wrote:
>>    
>>
>>>All rpm tools have this problem, as one of the two big lies in rpm is
>>>    All-or-nothing behavior when installing packages.
>>>That lie is true iff packages are perfect. That is very much not the
>>>case during
>>>a development cycle with an importatnt paradigm shift like selinux.
>>>      
>>>
>>I don't see the selinux policy issues as being any different than, say,
>>
>># mount -o remount,ro /usr
>># yum update
>><massive fun ensues>
>>#
>>
>>People have lived with that for years, they'll learn to live with similar
>>situations due to selinux configs....
>>    
>>
>
>I agree but ... we need to understand what the "rules" are with respect to 
>selinux related packages.  When things get screwed up, how do we unscrew 
>them.  I did not know that the active policy had to be named policy.<version> 
>so when the file was named "policy." I thought it was OK.  If I had known, it 
>was a quick fix to rename it to "policy.16".
>
>I do believe that the policy packages needs some work:
>
>1. Cannot be built in a private build tree (this possibly caused the "policy." 
>problem which is fixed in 1.9.2-11 ... we will see if it builds in the 
>private tree by a regular user).
>  
>
This is a bug caused by the user being unable to read policy_config_t 
files (file_context)

>2. When policy is installed, it loads the policy it just installed ... OK, 
>sounds reasonable.  But, if you then install/update policy-sources, it causes 
>the policy to be rebuilt from source and reloaded again!  Why?
>  
>
We are going to rework the make file to build all supported policy 
versions.  The problem is that
the kernels are supporting newer versions of policy, but you can select 
older kernels which will cause
crashes.  So if we need to build policy.15 and 16 now and soon 17 ...

>3. From what I see, there is no reason to have the policy package at all since 
>policy-sources will build the needed files (except for 
>/etc/security/{default_contexts,default_type,failsafe_context} and they could 
>be in policy-sources too.
>  
>
The problem is that policy-sources requires additional packages, 
checkpolicy, m4, make ...
and it is considered that minimal installs don't need all that stuff.  
We have just made a
change to link up policy-sources to policy,  So you can install policy 
alone, but once you
install policy-sources you will be required to install an updated policy 
file, so they should
work in lockstep, Also if you have updated policy files users, 
tunables.  Then policy will
not override them.  The last problem is when the policy version changes 
(not the rpm version).

The fix above to build all supported policy versions should fix that.


>Gene
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>  
>

More information about the fedora-selinux-list mailing list