On Sun, 2008-04-13 at 21:44 -0500, Joe Nall wrote: > I have an MLS policy.22 and policy.23 on current rawhide. The system > boots and runs policy.22. sedispol doesn't like policy.23. What > controls which policy is in use? Is 22 the correct policy to be > running today? Known problem. The way it is supposed to work (and used to work prior to moving initial policy load into the initrd for upstart) is that libsemanage would always generate the latest policy version supported by libsepol, and libselinux would always try to load the latest policy version supported by libsepol, and libselinux could use libsepol to downgrade that policy to one understood by the kernel as needed. The problem now in Fedora 9 / rawhide is that initial policy load happens from nash on the initrd, and uses the libsepol pulled into the initrd when it was built (i.e. when the kernel was installed). Thus, you can end up with an older libsepol on the initrd than exists on the real root, and have a system where nash can NOT load the latest policy generated by libsemanage. To fix, either a) rebuild your initrd so that you have the latest libsepol in it (this should happen automatically on next kernel install), or b) force the libsepol on the real root to generate policy.22 instead by putting policy-version = 22 in /etc/selinux/semanage.conf and then run semodule -B to rebuild. setools should have been rebuilt recently to pick up the new libsepol (it uses the static lib and has to be rebuilt for newer ones). -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
