libselinux should not require libsetrans
sds at tycho.nsa.gov
Wed Sep 14 17:58:35 UTC 2005
In the current Fedora spec file, libselinux has libsetrans as a prereq,
thereby pulling it in on libselinux updates for all users regardless of
policy. However, libsetrans presumes that MCS is enabled and always
appends :s0 to contexts when converting to raw format if they lack it.
This breaks (for example) a system running strict policy, as libselinux
then starts using the MCS-specific libsetrans and it starts
appending :so to raw contexts, but the kernel then rejects those
contexts since it does not have a MLS-enabled policy.
libsetrans is supposed to be optional, with libselinux gracefully
falling back to no translation if it is absent. I can possibly see
making it a dependency of MCS-enabled targeted policy packages, but not
of libselinux. Yes?
National Security Agency
More information about the selinux