On 05/21/2015 05:36 PM, Steve Lawrence wrote: > On 05/21/2015 10:42 AM, Miroslav Grepl wrote: >> We try to get working Fedora SELinux policy builds with migrated store. >> But we get some issues with MLS policy. We needed to add the following >> fixes to make it working. >> >> https://github.com/mgrepl/selinux-policy/commit/daad0252400284027e8a5c300addf6226f74e312 > > Looks like a bug with the pp2cil converter. Looking into this. > >> and >> >> https://github.com/mgrepl/selinux-policy/commit/113792a78ac27e8a05b4e3b550d7bc40c3c937db >> > > This works for staff_r, user_r, and sysadm_r because of this hack: > > https://github.com/SELinuxProject/selinux/blob/master/libsepol/src/module_to_cil.c#L2023-L2045 Thanks, I overlooked it. > > The issue here is that secadm and auditadm are always defined in their > respective modules, but conditionally defined in base if enable_mls is > true. Because of this, we can't really use the hack mentioned above, > because auditadm_r and secamd_r aren't always in base, which that hack > relies on. > > It's possible we could do the reverse of that for these roles, and only > declare secadm_r and auditadm_r when NOT converting a base module. But I > this could potentially break things if enable_mls == true and > auditadm/secadm modules aren't installed, but something still relies on > the roles. Not immediately clear if that's the case. Will have to look > into this... > Ok. The point is if we add another SELinux user we will get the same issue also for targeted policy. > >> Please check my commit messages. >> >> Regards, >> Miroslav >> > -- Miroslav Grepl Software Engineering, SELinux Solutions Red Hat, Inc. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
