Supporting multiple OS releases
Dominick Grift
domg472 at gmail.com
Tue Jun 30 14:27:38 UTC 2009
On Tue, 2009-06-30 at 10:08 -0400, Rob Crittenden wrote:
> In the freeIPA project we have our own SELinux policy. We support RHEL 5
> up through Fedora Rawhide. With Fedora 11 we saw some problems compiling
> our SELinux module which Dan Walsh provided a patch for. I haven't tried
> this on older releases yet but I'm guessing it won't work as expected
> (some policies seem to have been renamed, such as
> corenet_non_ipsec_sendrecv() -> corenet_all_recvfrom_unlabeled()
>
> My question is, how can we handle this in our source tree? Are we going
> to need to maintain per-release policies or does SELinux support some
> sort of versioning conditionals?
>
> thanks
>
> rob
There is tunable policy, meaning you can tune you policy for specific
distros for example. You do this by building the policy with
DISTRO=(distro). See the SELinux makefile:
http://oss.tresys.com/projects/refpolicy/browser/trunk/Makefile
starting at line 179: # enable distribution-specific policy
Then in the policy itself you would put the distro specifics into
seperate blocks of policy. For example:
http://oss.tresys.com/projects/refpolicy/browser/trunk/policy/modules/services/apache.te
starting at line 702: ifdef(`distro_redhat',` ')
Which is policy specific to RedHat distributions. So if you build with
DISTRO=redhat this specific policy is added.
You may or may not be able to use this mechanism for you scenario.
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090630/7f4d8b26/attachment.sig>
More information about the fedora-selinux-list
mailing list