SELinux Module Packaging in FC5

Stephen Smalley sds at tycho.nsa.gov
Tue May 16 16:30:25 UTC 2006 

On Tue, 2006-05-16 at 16:56 +0100, Paul Howarth wrote:
> Next problem:
> 
> I built and tested the package on one system, which was fully up to 
> date. Worked fine. Then tried installing the package on other system 
> that was running an older kernel and had older libsepol and 
> selinux-policy-targeted packages. The result was:
> 
> # rpm -Uvh contagged-0.3-2.noarch.rpm
> Preparing...                ########################################### 
> [100%]
>     1:contagged              warning: /etc/httpd/conf.d/contagged.conf 
> created as /etc/httpd/conf.d/contagged.conf.rpmnew
> ########################################### [100%]
> libsepol.class_copy_callback: contagged: Modules may not yet declare new 
> classes.
> libsemanage.semanage_link_sandbox: Link packages failed
> /usr/sbin/semodule:  Failed!
> # rpm -q selinux-policy-targeted libsepol libsemanage
> selinux-policy-targeted-2.2.34-3.fc5
> libsepol-1.12.4-1.fc5
> libsemanage-1.6.2-2.fc5
> 
> After doing a "yum update" on this system, the package installed cleanly.
> 
> Is this a result of the required feature being missing from one of these 
> (or some other) packages, or is a compiled .pp module compatible only 
> with the specific version of something it was built against?

I'm confused - I thought you said that the policy package only contained
a file contexts section, not a policy module.  Was there a policy
module?  If so, what was the source?  The above looks like a bug to me.

The receiving system has to have a libsepol that understands the policy
package format and module format, which are versioned, but the above
doesn't appear to be a format issue.  There is a pending change in the
module format, but you will be able to tell checkmodule to generate the
older format as well, and libsepol provides backward compatibility for
older formats.

> Is there some way of specifying the necessary dependency in the package 
> containing the binary policy module, or is it so volatile (like a kernel 
> module for instance) that the best bet would be to ship policy sources 
> and build them in %post?

No, they are intended to allow separate building and distribution.

-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list