Supporting multiple OS releases

Daniel J Walsh dwalsh at redhat.com
Tue Jun 30 21:28:32 UTC 2009 

On 06/30/2009 04:41 PM, Rob Crittenden wrote:
> Daniel J Walsh wrote:
>> On 06/30/2009 10:08 AM, Rob Crittenden wrote:
>>> In the freeIPA project we have our own SELinux policy. We support RHEL 5
>>> up through Fedora Rawhide. With Fedora 11 we saw some problems compiling
>>> our SELinux module which Dan Walsh provided a patch for. I haven't tried
>>> this on older releases yet but I'm guessing it won't work as expected
>>> (some policies seem to have been renamed, such as
>>> corenet_non_ipsec_sendrecv() -> corenet_all_recvfrom_unlabeled()
>>>
>>> My question is, how can we handle this in our source tree? Are we going
>>> to need to maintain per-release policies or does SELinux support some
>>> sort of versioning conditionals?
>>>
>>> thanks
>>>
>>> rob
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> The old interface will work, it just reports a nasty warning message
>> when you compile it against newer policy. So I think you are safe
>> compiling it on RHEL5 and installing it on F10/F11.
>
> We compile it on the given platform so we need some way to support all
> at once.
>
> For example, the code that builds fine on F-11 fails like this on F-9:
>
> Compiling targeted ipa_webgui module
> /usr/bin/checkmodule: loading policy configuration from tmp/ipa_webgui.tmp
> ipa_webgui.te":77:ERROR 'syntax error' at token
> 'userdom_dontaudit_search_admin_dir' on line 10764:
> userdom_dontaudit_search_admin_dir(ipa_webgui_t)
>
> The diff between F-11 and F-9 being:
>
> -userdom_dontaudit_search_sysadm_home_dirs(ipa_webgui_t)
> +userdom_dontaudit_search_admin_dir(ipa_webgui_t)
>
> rob
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
RIght I think you would need to build on F9 for support on F11 not the 
other way around.  Just like you would do with shared libraries.  You 
would not expect an c executable built on F11 to run on F9?

More information about the selinux mailing list