I have SELinux policy that is compiled on Red Hat Enterprise Linux 5. This policy fails to install on Red Hat Enterprise Linux 6 with the following message:
libsepol.print_missing_requirements: pbrun's global requirements were not met: type/attribute system_chkpwd_t (No such file or directory).
Is there a way to write SELinux policy so that It can be compiled on v 5.x and will run on 6.x ?
Thanks, Brian
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/17/2011 08:05 PM, Brian Ginn wrote:
I have SELinux policy that is compiled on Red Hat Enterprise Linux 5.
This policy fails to install on Red Hat Enterprise Linux 6 with the following message:
libsepol.print_missing_requirements: pbrun's global requirements were not met: type/attribute system_chkpwd_t (No such file or directory).
Is there a way to write SELinux policy so that It can be compiled on v 5.x and will run on 6.x ?
Thanks,
Brian
That looks like a bug in RHEL6 policy then. Could you attach the policy? You are supposed to be able to do this. We might need to add a typealias to RHEL6.
On 11/18/2011 02:05 AM, Brian Ginn wrote:
I have SELinux policy that is compiled on Red Hat Enterprise Linux 5.
This policy fails to install on Red Hat Enterprise Linux 6 with the following message:
libsepol.print_missing_requirements: pbrun's global requirements were not met: type/attribute system_chkpwd_t (No such file or directory).
This type does not exist on RHEL6. This is a problem why you can not load your local policy. You probably just need to recompile your policy on RHEL6. Another option would be to use "optional_policy" block for interface calling.
For example
optional_policy(` auth_domtrans_chk_passwd(test_t) ')
If something is wrong with this interface then it won't be used. But of course, then you will lost a part of functionality.
Is there a way to write SELinux policy so that It can be compiled on v 5.x and will run on 6.x ?
Thanks,
Brian
Regards, Miroslav
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/01/2011 06:03 AM, Miroslav Grepl wrote:
On 11/18/2011 02:05 AM, Brian Ginn wrote:
I have SELinux policy that is compiled on Red Hat Enterprise Linux 5.
This policy fails to install on Red Hat Enterprise Linux 6 with the following message:
libsepol.print_missing_requirements: pbrun's global requirements were not met: type/attribute system_chkpwd_t (No such file or directory).
This type does not exist on RHEL6. This is a problem why you can not load your local policy. You probably just need to recompile your policy on RHEL6. Another option would be to use "optional_policy" block for interface calling.
For example
optional_policy(` auth_domtrans_chk_passwd(test_t) ')
If something is wrong with this interface then it won't be used. But of course, then you will lost a part of functionality.
Is there a way to write SELinux policy so that It can be compiled on v 5.x and will run on 6.x ?
Thanks,
Brian
Regards, Miroslav
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Miroslav we need to add the type alias for this situation, though.
On 12/01/2011 03:15 PM, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/01/2011 06:03 AM, Miroslav Grepl wrote:
On 11/18/2011 02:05 AM, Brian Ginn wrote:
I have SELinux policy that is compiled on Red Hat Enterprise Linux 5.
This policy fails to install on Red Hat Enterprise Linux 6 with the following message:
libsepol.print_missing_requirements: pbrun's global requirements were not met: type/attribute system_chkpwd_t (No such file or directory).
This type does not exist on RHEL6. This is a problem why you can not load your local policy. You probably just need to recompile your policy on RHEL6. Another option would be to use "optional_policy" block for interface calling.
For example
optional_policy(` auth_domtrans_chk_passwd(test_t) ')
If something is wrong with this interface then it won't be used. But of course, then you will lost a part of functionality.
Is there a way to write SELinux policy so that It can be compiled on v 5.x and will run on 6.x ?
Thanks,
Brian
Regards, Miroslav
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Miroslav we need to add the type alias for this situation, though.
I was thinking about that, but this is between major release. Is this possible?
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk7XjAUACgkQrlYvE4MpobPjCwCgl5KGLHffnscGuAbg8r8ud/td xXsAni/3l1Qy/ud5MtZj7tEKQEWfJSuV =Trss -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/01/2011 01:58 PM, Miroslav Grepl wrote:
On 12/01/2011 03:15 PM, Daniel J Walsh wrote: On 12/01/2011 06:03 AM, Miroslav Grepl wrote:
On 11/18/2011 02:05 AM, Brian Ginn wrote:
I have SELinux policy that is compiled on Red Hat Enterprise Linux 5.
This policy fails to install on Red Hat Enterprise Linux 6 with the following message:
libsepol.print_missing_requirements: pbrun's global requirements were not met: type/attribute system_chkpwd_t (No such file or directory).
This type does not exist on RHEL6. This is a problem why you can not load your local policy. You probably just need to recompile your policy on RHEL6. Another option would be to use "optional_policy" block for interface calling.
For example
optional_policy(` auth_domtrans_chk_passwd(test_t) ')
If something is wrong with this interface then it won't be used. But of course, then you will lost a part of functionality.
Is there a way to write SELinux policy so that It can be compiled on v 5.x and will run on 6.x ?
Thanks,
Brian
Regards, Miroslav
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Miroslav we need to add the type alias for this situation, though.
I was thinking about that, but this is between major release. Is this possible?
Well I guess we could hope that it works. I think where it will fall apart is on things like the open access. So a policy build for RHEL5 might not work on RHEL6, if a confined domain needs to open anything...
selinux@lists.fedoraproject.org