On Tue, 2009-06-30 at 10:08 -0400, Rob Crittenden wrote: > In the freeIPA project we have our own SELinux policy. We support RHEL 5 > up through Fedora Rawhide. With Fedora 11 we saw some problems compiling > our SELinux module which Dan Walsh provided a patch for. I haven't tried > this on older releases yet but I'm guessing it won't work as expected > (some policies seem to have been renamed, such as > corenet_non_ipsec_sendrecv() -> corenet_all_recvfrom_unlabeled() > > My question is, how can we handle this in our source tree? Are we going > to need to maintain per-release policies or does SELinux support some > sort of versioning conditionals? > > thanks > > rob There is tunable policy, meaning you can tune you policy for specific distros for example. You do this by building the policy with DISTRO=(distro). See the SELinux makefile: http://oss.tresys.com/projects/refpolicy/browser/trunk/Makefile starting at line 179: # enable distribution-specific policy Then in the policy itself you would put the distro specifics into seperate blocks of policy. For example: http://oss.tresys.com/projects/refpolicy/browser/trunk/policy/modules/services/apache.te starting at line 702: ifdef(`distro_redhat',` ') Which is policy specific to RedHat distributions. So if you build with DISTRO=redhat this specific policy is added. You may or may not be able to use this mechanism for you scenario. > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Attachment:
signature.asc
Description: This is a digitally signed message part
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
