selinux-policy.spec wierdness?
Stephen Smalley
sds at tycho.nsa.gov
Wed May 10 11:27:19 UTC 2006
On Tue, 2006-05-09 at 18:07 -0400, Valdis.Kletnieks at vt.edu wrote:
> Am looking at selinux-policy-2.2.38-1.src.rpm. Does anybody know
> why there isn't a %build section in the .SPEC file? I was *hoping*
> to do a 'rpmbuild -bc' to assist in debugging an outstanding problem
> I'm having with strict policy, but apparently all the building gets
> done in the %install. Blech.
1) strict policy is known to be broken simply due to the current
brokenness of optionals-in-base support in checkpolicy/libsepol.
Patches are coming soon. It isn't really strict policy per se, but
fully modularized policy where the base has to contain optional sections
that need to be dynamically enabled at link time.
2) At present, you can build a working copy of a given policy build tree
via:
rpmbuild -bb --define "BUILD_xxx 0" --define "BUILD_yyy 0" selinux-policy.spec
where xxx and yyy are MLS, STRICT, or TARGETED, and you are disabling
the ones you don't want. e.g. to build a working copy of a build tree
for just strict, you'd use:
rpmbuild -bb --define "BUILD_MLS 0" --define "BUILD_TARGETED 0" selinux-policy.spec
This tries to build a binary package, of course, but leaves the build
tree intact so that you can then go use it.
We do need a cleaner way of doing this, or at least for it to be
documented in the FAQ.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list