SELinux Module Packaging in FC5
Paul Howarth
paul at city-fan.org
Wed Jun 21 16:18:25 UTC 2006
Joshua Brindle wrote:
>> From: Paul Howarth [mailto:paul at city-fan.org]
> <snip>
>
>>> Back to the point, my email a few times back suggested
>> putting a line
>>> with just ; where the rules would be in order to get a
>> module without
>>> rules, have you tried that?
>> Is this with or without the requires clause?
>>
>> With the requires clause, the semicolon doesn't seem to make
>> any difference.
>
> Ok, now I'm not sure what is going on. I built a policy with no rules
> and it linked in fine. (no ; was required either).. The policy_module
> statement always brings in a ton of requires (object classes mainly) so
> you'll always have requires whether you add them explicitly or not.
>
> What problem are you running into with this?
It's as described in the thread around here:
http://www.redhat.com/archives/fedora-selinux-list/2006-May/msg00104.html
The gist of it is that I had a policy module package built on one
machine and couldn't load it on another machine with an older version of
selinux-policy:
libsepol.class_copy_callback: contagged: Modules may not yet declare new
classes.
libsemanage.semanage_link_sandbox: Link packages failed
/usr/sbin/semodule: Failed!
The responses I got suggested that the absence of a policy module from
the policy module package (just file contexts, no rules) were at least
partly responsible for the issue.
The workaround I'm using at the moment is for my RPM packages to have an
RPM "conflict" with selinux-policy versions older than the one my
package is built against.
Paul.
Paul.
More information about the fedora-selinux-list
mailing list