Not good
Gene Czarcinski
gene at czarc.net
Mon Apr 5 15:27:27 UTC 2004
On Monday 05 April 2004 10:40, Chris Ricker wrote:
> On Sat, 3 Apr 2004, Jeff Johnson wrote:
> > All rpm tools have this problem, as one of the two big lies in rpm is
> > All-or-nothing behavior when installing packages.
> > That lie is true iff packages are perfect. That is very much not the
> > case during
> > a development cycle with an importatnt paradigm shift like selinux.
>
> I don't see the selinux policy issues as being any different than, say,
>
> # mount -o remount,ro /usr
> # yum update
> <massive fun ensues>
> #
>
> People have lived with that for years, they'll learn to live with similar
> situations due to selinux configs....
I agree but ... we need to understand what the "rules" are with respect to
selinux related packages. When things get screwed up, how do we unscrew
them. I did not know that the active policy had to be named policy.<version>
so when the file was named "policy." I thought it was OK. If I had known, it
was a quick fix to rename it to "policy.16".
I do believe that the policy packages needs some work:
1. Cannot be built in a private build tree (this possibly caused the "policy."
problem which is fixed in 1.9.2-11 ... we will see if it builds in the
private tree by a regular user).
2. When policy is installed, it loads the policy it just installed ... OK,
sounds reasonable. But, if you then install/update policy-sources, it causes
the policy to be rebuilt from source and reloaded again! Why?
3. From what I see, there is no reason to have the policy package at all since
policy-sources will build the needed files (except for
/etc/security/{default_contexts,default_type,failsafe_context} and they could
be in policy-sources too.
Gene
More information about the fedora-selinux-list
mailing list