rpm -V selinux-policy-targeted
Jeff Johnson
n3npq at nc.rr.com
Wed Nov 24 17:11:15 UTC 2004
Daniel J Walsh wrote:
> Joe Orton wrote:
>
>> On Wed, Nov 24, 2004 at 10:05:55AM -0500, Daniel J Walsh wrote:
>>
>>
>>> Joe Orton wrote:
>>>
>>
>> ...
>>
>>
>>>> ..5....T. c /etc/selinux/targeted/policy/policy.18
>>>>
>>>> Since policy/policy.18 is marked %config(noreplace) the new policy.18
>>>> file is installed as policy.18.rpmnew and hence it seems manual
>>>> intervention is needed to load the new policy, it's not a simple
>>>> rpm -U
>>>> or up2date run away - is this desirable?
>>>>
>>>
>>> This means that you modified the file_context/policy.18 file by
>>> using selinux-policy-targeted-sources file.
>>> The upgrade of selinux-policy-targeted-sources should do a make
>>> reload when it completes, causing the policy.18 and file_contexts file
>>> to be replaced. This way if you made local changes they will be
>>> maintained. (There was/is a bug with the moving of the /usr/bin files
>>> to /usr/sbin that is causing certain *sources rpms not to do a make
>>> load.
>>>
>>
>>
>> No, I didn't make any local changes, I haven't touched the files, this
>> was on a fresh kickstart. Ah, it looks like the %post script for
>> selinux-policy-targeted-sources will reload the policy the first time
>> it's installed too, i.e. by anaconda. So it's doomed from the out.
>>
>> That could be changed to really only happen on upgrades, but I'd
>> question whether -sources should automatically reload the policy at
>> all. Getting so easily into a state where "up2date
>> selinux-targeted-policy"
>> doesn't automatically apply policy updates (given no local modifications
>> to the sources) is bad.
>>
>>
>>
> Ok we can turn off automatic update of policy from
> selinux-policy-*sources, but then
> the user will need to manually update the policy if he has manipulated
> it.
A more seamless mechanism to upgrade policy is gonna be needed eventually.
I know of several problem areas, ready to attempt better upgrade if/when
you are,
if you wish to attempt through rpm. A distribution mechanism outside rpm is
a quite sane alternative implementation as well.
73 de Jeff
More information about the fedora-selinux-list
mailing list