SELinux Module Packaging in FC5
Stephen Smalley
sds at tycho.nsa.gov
Tue May 16 16:30:25 UTC 2006
On Tue, 2006-05-16 at 16:56 +0100, Paul Howarth wrote:
> Next problem:
>
> I built and tested the package on one system, which was fully up to
> date. Worked fine. Then tried installing the package on other system
> that was running an older kernel and had older libsepol and
> selinux-policy-targeted packages. The result was:
>
> # rpm -Uvh contagged-0.3-2.noarch.rpm
> Preparing... ###########################################
> [100%]
> 1:contagged warning: /etc/httpd/conf.d/contagged.conf
> created as /etc/httpd/conf.d/contagged.conf.rpmnew
> ########################################### [100%]
> libsepol.class_copy_callback: contagged: Modules may not yet declare new
> classes.
> libsemanage.semanage_link_sandbox: Link packages failed
> /usr/sbin/semodule: Failed!
> # rpm -q selinux-policy-targeted libsepol libsemanage
> selinux-policy-targeted-2.2.34-3.fc5
> libsepol-1.12.4-1.fc5
> libsemanage-1.6.2-2.fc5
>
> After doing a "yum update" on this system, the package installed cleanly.
>
> Is this a result of the required feature being missing from one of these
> (or some other) packages, or is a compiled .pp module compatible only
> with the specific version of something it was built against?
I'm confused - I thought you said that the policy package only contained
a file contexts section, not a policy module. Was there a policy
module? If so, what was the source? The above looks like a bug to me.
The receiving system has to have a libsepol that understands the policy
package format and module format, which are versioned, but the above
doesn't appear to be a format issue. There is a pending change in the
module format, but you will be able to tell checkmodule to generate the
older format as well, and libsepol provides backward compatibility for
older formats.
> Is there some way of specifying the necessary dependency in the package
> containing the binary policy module, or is it so volatile (like a kernel
> module for instance) that the best bet would be to ship policy sources
> and build them in %post?
No, they are intended to allow separate building and distribution.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list