Re: SELinux policy for both Enterprise Linux 5 and 6

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/01/2011 01:58 PM, Miroslav Grepl wrote:
> On 12/01/2011 03:15 PM, Daniel J Walsh wrote: On 12/01/2011 06:03
> AM, Miroslav Grepl wrote:
>>>> On 11/18/2011 02:05 AM, Brian Ginn wrote:
>>>>> I have SELinux policy that is compiled on Red Hat
>>>>> Enterprise Linux 5.
>>>>> 
>>>>> This policy fails to install on Red Hat Enterprise Linux 6
>>>>> with the following message:
>>>>> 
>>>>> libsepol.print_missing_requirements: pbrun's global
>>>>> requirements were not met: type/attribute system_chkpwd_t
>>>>> (No such file or directory).
>>>>> 
>>>> This type does not exist on RHEL6. This is a problem why you
>>>> can not load your local policy. You probably just need to
>>>> recompile your policy on RHEL6. Another option would be to
>>>> use "optional_policy" block for interface calling.
>>>> 
>>>> For example
>>>> 
>>>> optional_policy(` auth_domtrans_chk_passwd(test_t) ')
>>>> 
>>>> If something is wrong with this interface then it won't be
>>>> used. But of course, then you will lost a part of
>>>> functionality.
>>>>> 
>>>>> 
>>>>> Is there a way to write SELinux policy so that It can be
>>>>> compiled on v 5.x and will run on 6.x ?
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> Thanks,
>>>>> 
>>>>> Brian
>>>>> 
>>>> Regards, Miroslav
>>>>> 
>>>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>> 
>>>> 
>>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> Miroslav we need to add the type alias for this situation, though.
>> I was thinking about that, but this is between major release. Is
>> this possible?
> 


Well I guess we could hope that it works.  I think where it will fall
apart is on things like the open access.  So a policy build for RHEL5
might not work on RHEL6, if a confined domain needs to open anything...

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7XtKYACgkQrlYvE4MpobMjVwCgoQVyMFdrQW88/CC8ALH8o/vk
w3EAoIxsD0xgCyr+t9uXHUDKPfgCXaIk
=W8gW
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux