Re: Supporting multiple OS releases

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Stephen Smalley wrote:

On Tue, 2009-06-30 at 16:41 -0400, Rob Crittenden wrote:

Daniel J Walsh wrote:

On 06/30/2009 10:08 AM, Rob Crittenden wrote:

In the freeIPA project we have our own SELinux policy. We support RHEL 5
up through Fedora Rawhide. With Fedora 11 we saw some problems compiling
our SELinux module which Dan Walsh provided a patch for. I haven't tried
this on older releases yet but I'm guessing it won't work as expected
(some policies seem to have been renamed, such as
corenet_non_ipsec_sendrecv() -> corenet_all_recvfrom_unlabeled()

My question is, how can we handle this in our source tree? Are we going
to need to maintain per-release policies or does SELinux support some
sort of versioning conditionals?

thanks

rob


------------------------------------------------------------------------

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
The old interface will work, it just reports a nasty warning message when you compile it against newer policy. So I think you are safe compiling it on RHEL5 and installing it on F10/F11.
We compile it on the given platform so we need some way to support all at once. 

For example, the code that builds fine on F-11 fails like this on F-9:

Compiling targeted ipa_webgui module
/usr/bin/checkmodule:  loading policy configuration from tmp/ipa_webgui.tmp
ipa_webgui.te":77:ERROR 'syntax error' at token 'userdom_dontaudit_search_admin_dir' on line 10764: 
userdom_dontaudit_search_admin_dir(ipa_webgui_t)

The diff between F-11 and F-9 being:

-userdom_dontaudit_search_sysadm_home_dirs(ipa_webgui_t)
+userdom_dontaudit_search_admin_dir(ipa_webgui_t)


Try adding this to your module .if file:
ifdef(`userdom_dontaudit_search_admin_dir', `', ` dnl
interface(`userdom_dontaudit_search_admin_dir', `
    userdom_dontaudit_search_sysadm_home_dirs($1)
')
')

And then use userdom_dontaudit_search_admin_dir throughout your
module .te file.  Then it should get remapped if not defined.



This is exactly what I was looking for, thanks.

rob

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux