On Tue, 2009-06-30 at 10:08 -0400, Rob Crittenden wrote:
In the freeIPA project we have our own SELinux policy. We support
RHEL 5
up through Fedora Rawhide. With Fedora 11 we saw some problems compiling
our SELinux module which Dan Walsh provided a patch for. I haven't tried
this on older releases yet but I'm guessing it won't work as expected
(some policies seem to have been renamed, such as
corenet_non_ipsec_sendrecv() -> corenet_all_recvfrom_unlabeled()
My question is, how can we handle this in our source tree? Are we going
to need to maintain per-release policies or does SELinux support some
sort of versioning conditionals?
thanks
rob
There is tunable policy, meaning you can tune you policy for specific
distros for example. You do this by building the policy with
DISTRO=(distro). See the SELinux makefile:
http://oss.tresys.com/projects/refpolicy/browser/trunk/Makefile
starting at line 179: # enable distribution-specific policy
Then in the policy itself you would put the distro specifics into
seperate blocks of policy. For example:
http://oss.tresys.com/projects/refpolicy/browser/trunk/policy/modules/ser...
starting at line 702: ifdef(`distro_redhat',` ')
Which is policy specific to RedHat distributions. So if you build with
DISTRO=redhat this specific policy is added.
You may or may not be able to use this mechanism for you scenario.
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list