On 05/21/2015 10:42 AM, Miroslav Grepl wrote: > We try to get working Fedora SELinux policy builds with migrated store. > But we get some issues with MLS policy. We needed to add the following > fixes to make it working. > > https://github.com/mgrepl/selinux-policy/commit/daad0252400284027e8a5c300addf6226f74e312 Looks like a bug with the pp2cil converter. Looking into this. > and > > https://github.com/mgrepl/selinux-policy/commit/113792a78ac27e8a05b4e3b550d7bc40c3c937db > This works for staff_r, user_r, and sysadm_r because of this hack: https://github.com/SELinuxProject/selinux/blob/master/libsepol/src/module_to_cil.c#L2023-L2045 The issue here is that secadm and auditadm are always defined in their respective modules, but conditionally defined in base if enable_mls is true. Because of this, we can't really use the hack mentioned above, because auditadm_r and secamd_r aren't always in base, which that hack relies on. It's possible we could do the reverse of that for these roles, and only declare secadm_r and auditadm_r when NOT converting a base module. But I this could potentially break things if enable_mls == true and auditadm/secadm modules aren't installed, but something still relies on the roles. Not immediately clear if that's the case. Will have to look into this... > Please check my commit messages. > > Regards, > Miroslav > _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
