Re: rawhide selinux-policy-strict whoopsage...

Stephen Smalley <sds@xxxxxxxxxxxxx> · Wed, 01 Feb 2006 14:39:37 -0500



On Thu, 2006-01-26 at 13:02 -0500, Valdis.Kletnieks@xxxxxx wrote:
> Ran yum, it tried to install selinux-policy-strict-2.2.5-1 and died a horrid death:
> 
> 
>   Updating  : selinux-policy-strict        ####################### [13/24] 
> libsepol.verify_module_requirements: Module acct's global requirements were not met: type/attribute sysadm_home_dir_t
> libsemanage.semanage_link_sandbox: Link packages failed
> semodule:  Failed!
> libsepol.verify_module_requirements: Module alsa's global requirements were not met: type/attribute devlog_t
> libsemanage.semanage_link_sandbox: Link packages failed
> semodule:  Failed!
> libsepol.verify_module_requirements: Module amanda's global requirements were not met: type/attribute sysadm_home_dir_t
> libsemanage.semanage_link_sandbox: Link packages failed
> semodule:  Failed!
> .... (skipping scads of similar errors..)
> libsepol.verify_module_requirements: Module xserver's global requirements were not met: type/attribute logfile
> libsemanage.semanage_link_sandbox: Link packages failed
> semodule:  Failed!
> libsepol.verify_module_requirements: Module zebra's global requirements were not met: type/attribute direct_init
> libsemanage.semanage_link_sandbox: Link packages failed
> semodule:  Failed!
> 
> Running strict/permissive.  Any suggestions?

Looks like the .spec file needs to install all of the modules as a
single transaction to deal with mutually dependent modules.  Or, it
could install them layer-by-layer.  Unfortunately, current semodule
usage requires you to generate the list of all the modules, then prefix
them all with -i options, then pass that entire string as the
commandline to semodule.  Something like:
	# Location where modules are installed from policy package
	cd /usr/share/selinux/strict
	# Generate semodule command line with all non-base modules
	ls *.pp | sed -e "/base.pp/d" -e "/enableaudit.pp/d" -e "i-i " | tr "\n" " " > out
	# Run semodule
	semodule -v `cat out`

-- 
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list