Supporting multiple OS releases

Rob Crittenden rcritten at
Tue Jun 30 20:41:37 UTC 2009

Daniel J Walsh wrote:
> On 06/30/2009 10:08 AM, Rob Crittenden wrote:
>> In the freeIPA project we have our own SELinux policy. We support RHEL 5
>> up through Fedora Rawhide. With Fedora 11 we saw some problems compiling
>> our SELinux module which Dan Walsh provided a patch for. I haven't tried
>> this on older releases yet but I'm guessing it won't work as expected
>> (some policies seem to have been renamed, such as
>> corenet_non_ipsec_sendrecv() -> corenet_all_recvfrom_unlabeled()
>> My question is, how can we handle this in our source tree? Are we going
>> to need to maintain per-release policies or does SELinux support some
>> sort of versioning conditionals?
>> thanks
>> rob
>> ------------------------------------------------------------------------
>> -- 
>> fedora-selinux-list mailing list
>> fedora-selinux-list at
> The old interface will work, it just reports a nasty warning message 
> when you compile it against newer policy.  So I think you are safe 
> compiling it on RHEL5 and installing it on F10/F11.

We compile it on the given platform so we need some way to support all 
at once.

For example, the code that builds fine on F-11 fails like this on F-9:

Compiling targeted ipa_webgui module
/usr/bin/checkmodule:  loading policy configuration from tmp/ipa_webgui.tmp
ipa_webgui.te":77:ERROR 'syntax error' at token 
'userdom_dontaudit_search_admin_dir' on line 10764:

The diff between F-11 and F-9 being:


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the fedora-selinux-list mailing list