On Tue, 2009-06-30 at 16:41 -0400, Rob Crittenden wrote: > Daniel J Walsh wrote: > > On 06/30/2009 10:08 AM, Rob Crittenden wrote: > >> In the freeIPA project we have our own SELinux policy. We support RHEL 5 > >> up through Fedora Rawhide. With Fedora 11 we saw some problems compiling > >> our SELinux module which Dan Walsh provided a patch for. I haven't tried > >> this on older releases yet but I'm guessing it won't work as expected > >> (some policies seem to have been renamed, such as > >> corenet_non_ipsec_sendrecv() -> corenet_all_recvfrom_unlabeled() > >> > >> My question is, how can we handle this in our source tree? Are we going > >> to need to maintain per-release policies or does SELinux support some > >> sort of versioning conditionals? > >> > >> thanks > >> > >> rob > >> > >> > >> ------------------------------------------------------------------------ > >> > >> -- > >> fedora-selinux-list mailing list > >> fedora-selinux-list@xxxxxxxxxx > >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > The old interface will work, it just reports a nasty warning message > > when you compile it against newer policy. So I think you are safe > > compiling it on RHEL5 and installing it on F10/F11. > > We compile it on the given platform so we need some way to support all > at once. > > For example, the code that builds fine on F-11 fails like this on F-9: > > Compiling targeted ipa_webgui module > /usr/bin/checkmodule: loading policy configuration from tmp/ipa_webgui.tmp > ipa_webgui.te":77:ERROR 'syntax error' at token > 'userdom_dontaudit_search_admin_dir' on line 10764: > userdom_dontaudit_search_admin_dir(ipa_webgui_t) > > The diff between F-11 and F-9 being: > > -userdom_dontaudit_search_sysadm_home_dirs(ipa_webgui_t) > +userdom_dontaudit_search_admin_dir(ipa_webgui_t) Try adding this to your module .if file: ifdef(`userdom_dontaudit_search_admin_dir', `', ` dnl interface(`userdom_dontaudit_search_admin_dir', ` userdom_dontaudit_search_sysadm_home_dirs($1) ') ') And then use userdom_dontaudit_search_admin_dir throughout your module .te file. Then it should get remapped if not defined. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
