policy/policy-sources differences?
Gene C.
czar at czarc.net
Thu Apr 15 17:57:46 UTC 2004
On Thursday 15 April 2004 11:48, t l wrote:
> I have both policy and policy-sources packages installed (currently,
> policy-1.11.2-6 and policy-sources-1.11.2.6).
>
> I have 3 questions:
>
> 1. Shouldn't both packages install identical files? Currently, one install
> (I'm guessing policy-sources) typically leaves ".rpmnew" file/files. In
> this last update, it was just file_contexts (and file_contexts.rpmnew), but
> sometimes its also the policy.1[567] files as well.
>
> 2. Doing a "diff -b file_contexts*" produces what appears to be some line
> reorderings plus a bunch of lines describing "/mnt/build". I can't find
> these entries in the src/policy/file_contexts directory. Should they be
> there?
>
> 3. When there are ".rpmnew" files in /etc/security/selinux/, which ones
> "should we use"?
There are no duplicates between policy and policy-sources. While the policy
package includes some files which are basic and needed by selinux, it also
includes a pre-defined set of policy rules for a simple installation -- those
necessary for a minimal install which would have selinux enabled. If you
have a simple installation and plan to use the defaults defined by the
developers, you only need the policy package.
The policy-sources package has all of the source definitions which enable
someone to tailor the security policy to their needs/wants. By default, it
still defines the same policies as the policy package but you can change that
with the files in policy-sources.
When the policy-sources package is installed, it "recompiles" from source
(after the installation) and updates the /etc/security/selinux/files_contexts
and /etc/security/selinux/policy.{15,16,17} files and then reloads the policy
appropriate to the kernel you are running. Naturally, when it updates those
files, it replaces the files that were just install and loaded by the policy
package.
For most updates, as long as you select both polocy and policy-sources for
update, you should be OK. If you somehow install the policy-sources package
and then the policy package (such by using rpm --force), you will be running
a policy which does not include any of your updates.
I hope this helps to clarify things for you.
--
Gene
More information about the fedora-test-list
mailing list