On Fri, 2010-03-05 at 15:04 +0100, Dominick Grift wrote: > On 03/05/2010 02:53 PM, Stephen Smalley wrote: > > On Fri, 2010-03-05 at 10:09 +0100, Dominick Grift wrote: > >> On 03/05/2010 04:29 AM, Robert Nichols wrote: > >>> And, it appears that I have to remember to re-install all local policy > >>> modules every time there is a policy update, right?? :-(( > >> > >> Not in all cases but in the case where user domains are involved that > >> may be true. semodule -B may also do the trick. > > > > What's an example where that is required, and why? > > > > Well i dont remember exactly but i use to have a custom user domain, and > when fedora's selinux-policy had an update that affected interfaces in > the userdomain, that my custom user domain calls. Then this change would > not reflect in my custom user domain. > > I had to reinstall my custom user domain after fedora selinux policy > updates that made relevant changes to the userdomain. > > I think the explanation was that its works like static libraries and not > like dynamic libraries. Ah, yes - refpolicy interfaces are merely m4 macros presently and thus are expanded at module compilation time. So if your module uses a refpolicy interface and the internals of that interface definition change and you want to pick up those changes, you might have to recompile your module (merely re-inserting the already compiled one or merely running semodule -B won't help). But I don't think that is commonly needed for local modules, particularly ones that are audit2allow-generated. > Unfortunately my memory might be wrong. Also i cannot find the > particular discussion i had with dwalsh about the issue on the mail > lists on short notice. > > Also i do not know whether this is even related to this issue. -- Stephen Smalley National Security Agency -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
