On Tue, 2006-05-16 at 17:33 +0100, Paul Howarth wrote: > It contains a policy module, but the module only includes file contexts. Clarification: it is a policy package (.pp), but the policy package only includes file contexts. The module itself is just the .mod file created by checkmodule; it never includes file contexts. If this is going to be common, then semodule_package and libsemanage need to allow for policy packages that have no policy module. > The .te file is just: > --------------------------------------------------------------------- > # It's currently only necessary to set file contexts for the cache directory > # in this policy, but doing it in a module is easier from a package > maintenance > # point of view than using semanage and chcon in scriptlets > > policy_module(contagged, 0.1) This pulls in requires statements for the kernel classes and permissions. Which it seems are being confused with an attempt to declare classes/permissions in the module by the older libsepol. > The .fc file is: > --------------------------------------------------------------------- > /var/cache/contagged(/.*)? > gen_context(system_u:object_r:httpd_cache_t,s0) > --------------------------------------------------------------------- You can't use gen_context() there, can you? I thought it had to be preprocessed already. > The module was built on a system with: > $ rpm -q selinux-policy-targeted libsepol libsemanage > selinux-policy-targeted-2.2.38-1.fc5 > libsepol-1.12.6-1.fc5 > libsemanage-1.6.2-2.fc5 > > The error occurred when the package was installed on a system with: > $ rpm -q selinux-policy-targeted libsepol libsemanage > selinux-policy-targeted-2.2.34-3.fc5 > libsepol-1.12.4-1.fc5 > libsemanage-1.6.2-2.fc5 Hmmm...and what version of checkmodule was used to build it? -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list