SELinux policy & policy-sources
Gene C.
czar at czarc.net
Tue Apr 6 09:01:52 UTC 2004
On Tuesday 06 April 2004 02:51, Fred New wrote:
> Could someone could comment about the relationship between the policy
> and policy-sources packages? When I update policy-sources, it seems to
> build /etc/security/selinux/policy.16. And updating "policy" replaces
> policy.16 again (if it is packaged correctly). Am I supposed to have
> only one of these packages installed?
OK, I am NOT an expert but let me give it a try ...
The policy package has the minimum necessary files defining the selinux
security policy ... as currently implemented, you always need this package
installed. The policy-sources package contains all of the source definitions
(files in /etc/security/selinux/src/*) for creating the files
/etc/security/selinux/file_contexts and /etc/security/selinux/policy.<ver>
where <ver> is the "version number" of the policy ... currently 16. [Some of
the recent policy package updates had/have a packaging problem and installed
"policy." instead of "policy.16" where screw things up pretty bad although it
can be fixed by simply renaming the file.]
If you have a simple system and do not plan to fool with the security policy
as currently defined by Red Hat, you need just the policy package. If you
are going to customize your security policy and want to run setools, then you
need policy-sources.
Note: Installing/updating the policy package will load the new policy after
it installs the files.
Note: Installing/updating the policy-sources package will rebuild the
policy.## file and the file_contexts file and loads them (makes them the
current policy in effect).
Note: If you have locally modified some of the policy sources, updating
policy and/or policy-sources can have interesting (but not particularly
desirable) effects. See
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=118604
I suggest you take a look at the bugzilla reports for policy to see what types
of problems are occurring.
--
Gene
More information about the fedora-test-list
mailing list