policy/policy-sources differences?
t l
concert at europe.com
Thu Apr 15 18:32:17 UTC 2004
Thanks for the response. I think you answered some of my questions.
Although I installed both packages (policy and policy-source), I made no changes to the src/policy files, so all the files in /etc/security/selinux should be the same as when installed (from the previous update).
So shouldn't the version of /etc/security/selinux/file_contexts built from the files installed by policy-sources be the same as the version of /etc/security/selinux/file_contexts installed from the policy package?
One of them has "extra" entries (/mnt/build*/), no?
tom
------------------------------------------------------------
* From: "Gene C." <czar czarc net>
* To: fedora-test-list redhat com
* Subject: Re: policy/policy-sources differences?
* Date: Thu, 15 Apr 2004 13:57:46 -0400
On Thursday 15 April 2004 11:48, t l wrote:
> I have both policy and policy-sources packages installed (currently,
> policy-1.11.2-6 and policy-sources-1.11.2.6).
>
> I have 3 questions:
>
> 1. Shouldn't both packages install identical files? Currently, one install
> (I'm guessing policy-sources) typically leaves ".rpmnew" file/files. In
> this last update, it was just file_contexts (and file_contexts.rpmnew), but
> sometimes its also the policy.1[567] files as well.
>
> 2. Doing a "diff -b file_contexts*" produces what appears to be some line
> reorderings plus a bunch of lines describing "/mnt/build". I can't find
> these entries in the src/policy/file_contexts directory. Should they be
> there?
>
> 3. When there are ".rpmnew" files in /etc/security/selinux/, which ones
> "should we use"?
There are no duplicates between policy and policy-sources. While the policy
package includes some files which are basic and needed by selinux, it also
includes a pre-defined set of policy rules for a simple installation -- those
necessary for a minimal install which would have selinux enabled. If you
have a simple installation and plan to use the defaults defined by the
developers, you only need the policy package.
The policy-sources package has all of the source definitions which enable
someone to tailor the security policy to their needs/wants. By default, it
still defines the same policies as the policy package but you can change that
with the files in policy-sources.
When the policy-sources package is installed, it "recompiles" from source
(after the installation) and updates the /etc/security/selinux/files_contexts
and /etc/security/selinux/policy.{15,16,17} files and then reloads the policy
appropriate to the kernel you are running. Naturally, when it updates those
files, it replaces the files that were just install and loaded by the policy
package.
For most updates, as long as you select both polocy and policy-sources for
update, you should be OK. If you somehow install the policy-sources package
and then the policy package (such by using rpm --force), you will be running
a policy which does not include any of your updates.
I hope this helps to clarify things for you.
--
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm
More information about the fedora-test-list
mailing list