SELinux policy & policy-sources
Richard Hally
rhally at mindspring.com
Tue Apr 6 16:26:47 UTC 2004
Gene C. wrote:
>On Tuesday 06 April 2004 02:51, Fred New wrote:
>
>
>>Could someone could comment about the relationship between the policy
>>and policy-sources packages? When I update policy-sources, it seems to
>>build /etc/security/selinux/policy.16. And updating "policy" replaces
>>policy.16 again (if it is packaged correctly). Am I supposed to have
>>only one of these packages installed?
>>
>>
>
>OK, I am NOT an expert but let me give it a try ...
>
>The policy package has the minimum necessary files defining the selinux
>security policy ... as currently implemented, you always need this package
>installed. The policy-sources package contains all of the source definitions
>(files in /etc/security/selinux/src/*) for creating the files
>/etc/security/selinux/file_contexts and /etc/security/selinux/policy.<ver>
>where <ver> is the "version number" of the policy ... currently 16. [Some of
>the recent policy package updates had/have a packaging problem and installed
>"policy." instead of "policy.16" where screw things up pretty bad although it
>can be fixed by simply renaming the file.]
>
>If you have a simple system and do not plan to fool with the security policy
>as currently defined by Red Hat, you need just the policy package. If you
>are going to customize your security policy and want to run setools, then you
>need policy-sources.
>
>Note: Installing/updating the policy package will load the new policy after
>it installs the files.
>
>Note: Installing/updating the policy-sources package will rebuild the
>policy.## file and the file_contexts file and loads them (makes them the
>current policy in effect).
>
>Note: If you have locally modified some of the policy sources, updating
>policy and/or policy-sources can have interesting (but not particularly
>desirable) effects. See
>https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=118604
>
>I suggest you take a look at the bugzilla reports for policy to see what types
>of problems are occurring.
>
>
Nice work Gene! This needs to go in the FAQ....
Richard Hally
More information about the fedora-test-list
mailing list