SELinux Module Packaging in FC5
Stephen Smalley
sds at tycho.nsa.gov
Tue May 16 16:58:58 UTC 2006
On Tue, 2006-05-16 at 17:33 +0100, Paul Howarth wrote:
> It contains a policy module, but the module only includes file contexts.
Clarification: it is a policy package (.pp), but the policy package
only includes file contexts. The module itself is just the .mod file
created by checkmodule; it never includes file contexts.
If this is going to be common, then semodule_package and libsemanage
need to allow for policy packages that have no policy module.
> The .te file is just:
> ---------------------------------------------------------------------
> # It's currently only necessary to set file contexts for the cache directory
> # in this policy, but doing it in a module is easier from a package
> maintenance
> # point of view than using semanage and chcon in scriptlets
>
> policy_module(contagged, 0.1)
This pulls in requires statements for the kernel classes and
permissions. Which it seems are being confused with an attempt to
declare classes/permissions in the module by the older libsepol.
> The .fc file is:
> ---------------------------------------------------------------------
> /var/cache/contagged(/.*)?
> gen_context(system_u:object_r:httpd_cache_t,s0)
> ---------------------------------------------------------------------
You can't use gen_context() there, can you? I thought it had to be
preprocessed already.
> The module was built on a system with:
> $ rpm -q selinux-policy-targeted libsepol libsemanage
> selinux-policy-targeted-2.2.38-1.fc5
> libsepol-1.12.6-1.fc5
> libsemanage-1.6.2-2.fc5
>
> The error occurred when the package was installed on a system with:
> $ rpm -q selinux-policy-targeted libsepol libsemanage
> selinux-policy-targeted-2.2.34-3.fc5
> libsepol-1.12.4-1.fc5
> libsemanage-1.6.2-2.fc5
Hmmm...and what version of checkmodule was used to build it?
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list