SELinux policy & policy-sources

Gene C. czar at czarc.net
Tue Apr 6 09:01:52 UTC 2004


On Tuesday 06 April 2004 02:51, Fred New wrote:
> Could someone could comment about the relationship between the policy
> and policy-sources packages?  When I update policy-sources, it seems to
> build /etc/security/selinux/policy.16.  And updating "policy" replaces
> policy.16 again (if it is packaged correctly).  Am I supposed to have
> only one of these packages installed?

OK, I am NOT an expert but let me give it a try ...

The policy package has the minimum necessary files defining the selinux 
security policy ... as currently implemented, you always need this package 
installed.  The policy-sources package contains all of the source definitions 
(files in /etc/security/selinux/src/*) for creating the files 
/etc/security/selinux/file_contexts and /etc/security/selinux/policy.<ver> 
where <ver> is the "version number" of the policy ... currently 16. [Some of 
the recent policy package updates had/have a packaging problem and installed 
"policy." instead of "policy.16" where screw things up pretty bad although it 
can be fixed by simply renaming the file.]

If you have a simple system and do not plan to fool with the security policy 
as currently defined by Red Hat, you need just the policy package.  If you 
are going to customize your security policy and want to run setools, then you 
need policy-sources.

Note:  Installing/updating the policy package will load the new policy after 
it installs the files.

Note: Installing/updating the policy-sources package will rebuild the 
policy.## file and the file_contexts file and loads them (makes them the 
current policy in effect).

Note:  If you have locally modified some of the policy sources, updating 
policy and/or policy-sources can have interesting (but not particularly 
desirable) effects. See 
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=118604

I suggest you take a look at the bugzilla reports for policy to see what types 
of problems are occurring.
-- 
Gene





More information about the fedora-test-list mailing list