[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: .te file in RPMs

mike flyn org wrote:

I would like to learn the proper way for a package to install an


te file, rebuild the SELinux policy and load the new policy. Could


point me in the proper direction? Is there something better than "make
reload" in the post-install script?

Currently there is no proper method.

Loading the policy in the post-install alone won't do it. Any policy that
is significant will add new file types, and the package which contains the policy (*) will have files that need to be labeled with those types. This means that you would have to not only load the policy but label the files
in the post-install script. This is ugly.

Does this mean that this is not a blocker for Fedora Core 2, as the entry in
the SELinux roadmap at http://fedora.redhat.com/projects/selinux/ seems to
imply ("Fedora Core 2 release may happen after item 9 or 10...")?

The means to save *.te files exists in rpm-4.3 and later.

In %files, adding %policy before a path will load the contents of the file into metadata.

If the path is relative, then it's relative to the build directory, and the contents goes only
into the header.

If the path is absolute, then it's relative to $RPM_BUILD_ROOT, and the contents goes
into both the header and the payload.

Now, all that being said, the entire mechanism is gonna be scrapped and redone, for
several reasons:
1) policy is now composed of both macros and *.te files (and *.fc, handled already), and has policy versions
and booleans and probably other "stuff" in the works that needs to be accomodated.
2) policy is still changing too rapidly for it to make sense to burn into package headers that are about to be
released as Fedora Core 2, which will persist long beyond the development cycle.

So it's time to back up and redesign how policy should be packaged into rpm.

So, "Not a blocker" afaik.

73 de Jeff

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]