[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

libselinux should not require libsetrans



Hi,

In the current Fedora spec file, libselinux has libsetrans as a prereq,
thereby pulling it in on libselinux updates for all users regardless of
policy.  However, libsetrans presumes that MCS is enabled and always
appends :s0 to contexts when converting to raw format if they lack it.
This breaks (for example) a system running strict policy, as libselinux
then starts using the MCS-specific libsetrans and it starts
appending :so to raw contexts, but the kernel then rejects those
contexts since it does not have a MLS-enabled policy.

libsetrans is supposed to be optional, with libselinux gracefully
falling back to no translation if it is absent.  I can possibly see
making it a dependency of MCS-enabled targeted policy packages, but not
of libselinux.  Yes?

-- 
Stephen Smalley
National Security Agency


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]