[DSE-Dev] Sid SELinux packages are now working

Manoj Srivastava srivasta at debian.org
Tue May 8 19:43:03 UTC 2007


Hi,

        There was a problem with how our refpolicy packages were put
 together -- modules that were included in base where still built and
 shipped in /usr/share/selinux/$policy_name/*.pp; but they could not be
 installed, since there was a conflict -- they had already been
 installed by base.pp

        I fixed that, and with todays Sid packages, I can install either
 the targeted or the strict policy, either in a minimal UML, or on my
 development machine.

        I think we need to create a tool that can update your policy
 setup, taking into account any new packages you might have installed in
 the meanwhile and loading new modules as needed.  This is the first
 step towards having an installation of a package automatically loading
 the corresponding policy in the pre-inst phase.

        An initial approach would be to have this utility be given a
 package name on the command line, and it will see if there is a
 corresponding selinux modular policy module, and install the policy or
 update it as needed (if selinux is enabled, of course).  If the module
 is already installed, it should do nothing.

        This way, developers can put in "update_selinux_modules $pkg"
 in the preinst, without having to wait for a release when we can use
 dpkg triggers.

        manoj
-- 
General notions are generally wrong. Lady M.W. Montagu
Manoj Srivastava <srivasta at debian.org> <http://www.debian.org/~srivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C



More information about the SELinux-devel mailing list