On Tue, 2006-05-16 at 16:56 +0100, Paul Howarth wrote:
Next problem:
I built and tested the package on one system, which was fully up to
date. Worked fine. Then tried installing the package on other system
that was running an older kernel and had older libsepol and
selinux-policy-targeted packages. The result was:
# rpm -Uvh contagged-0.3-2.noarch.rpm
Preparing... ###########################################
[100%]
1:contagged warning: /etc/httpd/conf.d/contagged.conf
created as /etc/httpd/conf.d/contagged.conf.rpmnew
########################################### [100%]
libsepol.class_copy_callback: contagged: Modules may not yet declare new
classes.
libsemanage.semanage_link_sandbox: Link packages failed
/usr/sbin/semodule: Failed!
# rpm -q selinux-policy-targeted libsepol libsemanage
selinux-policy-targeted-2.2.34-3.fc5
libsepol-1.12.4-1.fc5
libsemanage-1.6.2-2.fc5
After doing a "yum update" on this system, the package installed cleanly.
Is this a result of the required feature being missing from one of these
(or some other) packages, or is a compiled .pp module compatible only
with the specific version of something it was built against?
I'm confused - I thought you said that the policy package only contained
a file contexts section, not a policy module. Was there a policy
module? If so, what was the source? The above looks like a bug to me.
The receiving system has to have a libsepol that understands the policy
package format and module format, which are versioned, but the above
doesn't appear to be a format issue. There is a pending change in the
module format, but you will be able to tell checkmodule to generate the
older format as well, and libsepol provides backward compatibility for
older formats.
Is there some way of specifying the necessary dependency in the
package
containing the binary policy module, or is it so volatile (like a kernel
module for instance) that the best bet would be to ship policy sources
and build them in %post?
No, they are intended to allow separate building and distribution.
--
Stephen Smalley
National Security Agency