On Tue, 2006-05-16 at 16:56 +0100, Paul Howarth wrote: > Next problem: > > I built and tested the package on one system, which was fully up to > date. Worked fine. Then tried installing the package on other system > that was running an older kernel and had older libsepol and > selinux-policy-targeted packages. The result was: > > # rpm -Uvh contagged-0.3-2.noarch.rpm > Preparing... ########################################### > [100%] > 1:contagged warning: /etc/httpd/conf.d/contagged.conf > created as /etc/httpd/conf.d/contagged.conf.rpmnew > ########################################### [100%] > libsepol.class_copy_callback: contagged: Modules may not yet declare new > classes. > libsemanage.semanage_link_sandbox: Link packages failed > /usr/sbin/semodule: Failed! > # rpm -q selinux-policy-targeted libsepol libsemanage > selinux-policy-targeted-2.2.34-3.fc5 > libsepol-1.12.4-1.fc5 > libsemanage-1.6.2-2.fc5 > > After doing a "yum update" on this system, the package installed cleanly. > > Is this a result of the required feature being missing from one of these > (or some other) packages, or is a compiled .pp module compatible only > with the specific version of something it was built against? I'm confused - I thought you said that the policy package only contained a file contexts section, not a policy module. Was there a policy module? If so, what was the source? The above looks like a bug to me. The receiving system has to have a libsepol that understands the policy package format and module format, which are versioned, but the above doesn't appear to be a format issue. There is a pending change in the module format, but you will be able to tell checkmodule to generate the older format as well, and libsepol provides backward compatibility for older formats. > Is there some way of specifying the necessary dependency in the package > containing the binary policy module, or is it so volatile (like a kernel > module for instance) that the best bet would be to ship policy sources > and build them in %post? No, they are intended to allow separate building and distribution. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
