Supporting multiple OS releases

Rob Crittenden rcritten at redhat.com
Wed Jul 1 19:07:59 UTC 2009 

Stephen Smalley wrote:
> On Tue, 2009-06-30 at 16:41 -0400, Rob Crittenden wrote:
>> Daniel J Walsh wrote:
>>> On 06/30/2009 10:08 AM, Rob Crittenden wrote:
>>>> In the freeIPA project we have our own SELinux policy. We support RHEL 5
>>>> up through Fedora Rawhide. With Fedora 11 we saw some problems compiling
>>>> our SELinux module which Dan Walsh provided a patch for. I haven't tried
>>>> this on older releases yet but I'm guessing it won't work as expected
>>>> (some policies seem to have been renamed, such as
>>>> corenet_non_ipsec_sendrecv() -> corenet_all_recvfrom_unlabeled()
>>>>
>>>> My question is, how can we handle this in our source tree? Are we going
>>>> to need to maintain per-release policies or does SELinux support some
>>>> sort of versioning conditionals?
>>>>
>>>> thanks
>>>>
>>>> rob
>>>>
>>>>
>>>> ------------------------------------------------------------------------
>>>>
>>>> -- 
>>>> fedora-selinux-list mailing list
>>>> fedora-selinux-list at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>> The old interface will work, it just reports a nasty warning message 
>>> when you compile it against newer policy.  So I think you are safe 
>>> compiling it on RHEL5 and installing it on F10/F11.
>> We compile it on the given platform so we need some way to support all 
>> at once.
>>
>> For example, the code that builds fine on F-11 fails like this on F-9:
>>
>> Compiling targeted ipa_webgui module
>> /usr/bin/checkmodule:  loading policy configuration from tmp/ipa_webgui.tmp
>> ipa_webgui.te":77:ERROR 'syntax error' at token 
>> 'userdom_dontaudit_search_admin_dir' on line 10764:
>> userdom_dontaudit_search_admin_dir(ipa_webgui_t)
>>
>> The diff between F-11 and F-9 being:
>>
>> -userdom_dontaudit_search_sysadm_home_dirs(ipa_webgui_t)
>> +userdom_dontaudit_search_admin_dir(ipa_webgui_t)
> 
> Try adding this to your module .if file:
> ifdef(`userdom_dontaudit_search_admin_dir', `', ` dnl
> interface(`userdom_dontaudit_search_admin_dir', `
>     userdom_dontaudit_search_sysadm_home_dirs($1)
> ')
> ')
> 
> And then use userdom_dontaudit_search_admin_dir throughout your
> module .te file.  Then it should get remapped if not defined.
> 

This is exactly what I was looking for, thanks.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090701/3ad093d2/attachment.bin>

More information about the fedora-selinux-list mailing list