On Fri, 2010-03-05 at 15:04 +0100, Dominick Grift wrote:
On 03/05/2010 02:53 PM, Stephen Smalley wrote:
> On Fri, 2010-03-05 at 10:09 +0100, Dominick Grift wrote:
>> On 03/05/2010 04:29 AM, Robert Nichols wrote:
>>> And, it appears that I have to remember to re-install all local policy
>>> modules every time there is a policy update, right?? :-((
>>
>> Not in all cases but in the case where user domains are involved that
>> may be true. semodule -B may also do the trick.
>
> What's an example where that is required, and why?
>
Well i dont remember exactly but i use to have a custom user domain, and
when fedora's selinux-policy had an update that affected interfaces in
the userdomain, that my custom user domain calls. Then this change would
not reflect in my custom user domain.
I had to reinstall my custom user domain after fedora selinux policy
updates that made relevant changes to the userdomain.
I think the explanation was that its works like static libraries and not
like dynamic libraries.
Ah, yes - refpolicy interfaces are merely m4 macros presently and thus
are expanded at module compilation time. So if your module uses a
refpolicy interface and the internals of that interface definition
change and you want to pick up those changes, you might have to
recompile your module (merely re-inserting the already compiled one or
merely running semodule -B won't help). But I don't think that is
commonly needed for local modules, particularly ones that are
audit2allow-generated.
Unfortunately my memory might be wrong. Also i cannot find the
particular discussion i had with dwalsh about the issue on the mail
lists on short notice.
Also i do not know whether this is even related to this issue.
--
Stephen Smalley
National Security Agency