libselinux should not require libsetrans

Stephen Smalley sds at
Wed Sep 14 17:58:35 UTC 2005


In the current Fedora spec file, libselinux has libsetrans as a prereq,
thereby pulling it in on libselinux updates for all users regardless of
policy.  However, libsetrans presumes that MCS is enabled and always
appends :s0 to contexts when converting to raw format if they lack it.
This breaks (for example) a system running strict policy, as libselinux
then starts using the MCS-specific libsetrans and it starts
appending :so to raw contexts, but the kernel then rejects those
contexts since it does not have a MLS-enabled policy.

libsetrans is supposed to be optional, with libselinux gracefully
falling back to no translation if it is absent.  I can possibly see
making it a dependency of MCS-enabled targeted policy packages, but not
of libselinux.  Yes?

Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list