By the way, I'm seeking sponsors who can review SE-PostgreSQL package. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=249522 If you can volunteer the reviewing process, please contact me. Thanks, >>>> If I remember correctly, someone posted a guideline to make >>>> a RPM package which contains binary security policy, several >>>> weeks ago. >>>> >>>> If you know the URL, would you tell me the location? >>> There is a draft guide at: >>> http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules >> Thanks, so much! > > I have a comment for the Policy Module Packaging Guideline. > > The document says every *.pp files should be installed for any sort of policies > (targeted, strict, mls) in the %post section. > However, it can cause a problem when a part of policies are not installed yet. > > When we try to install an application including policy package on the system > which has only targeted policy, installation of *.pp files for strict/mls will > be failed no need to say. > If we want to install selinux-policy-strict or -mls later, the oraphan *.pp files > are not linked automatically because "/usr/bin/semodule -i" is not invoked. > It will cause a simple problem, but a bit difficult to find out. > > I have an idea that uses "%triggerin" to invoke "/use/bin/semodule -i" to link > orphan *.pp files on instllation of selinux-policy-* packages later, as follows: > > ---------------- > %triggerin -- selinux-policy-targeted > if [ $0 -eq 1 ]; then > /usr/sbin/semodule -s targeted -i %{_datadir}/selinux/targeted/mymodule.pp &> /dev/null || : > fi > %triggerin -- selinux-policy-strict > if [ $0 -eq 1 ]; then > /usr/sbin/semodule -s strict -i %{_datadir}/selinux/strict/mymodule.pp &> /dev/null || : > fi > %triggerin -- selinux-policy-mls > if [ $0 -eq 1 ]; then > /usr/sbin/semodule -s mls -i %{_datadir}/selinux/mls/mymodule.pp &> /dev/null || : > fi > ---------------- > > If the application is installed on the system which already has selinux-policy-strict, > "%triggerin -- selinux-policy-strict" will be invoked just when the application is > installed, so there is no degrading. > > Thanks, -- KaiGai Kohei <kaigai@xxxxxxxxxxxx> -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
