SELinux "upgrade" issues
Daniel J Walsh
dwalsh at redhat.com
Wed Jun 22 18:17:01 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 06/20/2011 07:27 PM, Mr Dash Four wrote:
>
>>> See if you can use sesearch/seinfo to search for the access that the
>>> kernel is not using.
>>>
>> Right, thanks, I'll do that!
> sesearch did *not* work - I've had a fatal error (something about
> "invalid dom used" or something) - that was simply because I was using
> the old version of setools (the one coming with FC13). I then thought,
> rather naively as it turned out, that I would be able to recompile the
> setools set of packages as easily as I did the rest during the weekend.
> How wrong was I!
>
> I've spent about 5 hours applying the most dirty and hideous hacks I
> haven't used since my university days, but in the end *all* setools
> packages were forced into submission and asked, not-so-politely, to use
> and link to python3 instead of the version I have on my FC13 system
> (2.6.4), thus bypassing the python 2.7 requirement for compilation and
> build.
>
> After I installed the relevant setools-* packages, I executed sesearch
> again. It ran OK this time, but returned no matches - unsurprising,
> given that the kernel was complaining of lack of these in the policy.
>
> Then I decided to recompile the policy again - from source - and during
> the build I realised the cause of these kernel errors: I installed my
> libsemanage packages *after* I have built and installed the new SELinux
> policy, which means that the selinux-policy-* packages were build and
> installed using my old libsemanage packages (the one coming with FC13).
>
> I also remembered that I had a weird error when I tried to install
> selinux-policy-targeted (something about
> libsemanage.semanage_link_sandbox: Link packages failed - No such file
> or directory), though I did not pay attention to it at the time as the
> package was installed "correctly".
>
> When I recompiled and installed the policy again (though I had to bump
> the version number from 26 to 27 to prevent rpm screaming at me) using
> the new version of all conceivable SELinux packages, bar the gui ones,
> all went well, during installation of selinux-policy-targeted I even had
> my system relabelled (that was missing with the previous run - probably
> because of the error I've got) and at the end everything was completed
> without any errors.
>
> When I subsequently rebooted and checked my syslog again - the kernel
> errors were gone! Problem solved!
>
> Now I have the rather unpleasant task of upgrading my own customised
> policy from the FC13 to FC15 version. Are there any changes from FC13 to
> FC15 in terms of the language syntax or anything else I need to be aware
> of before I start?
Not that I recall. F16 will add new stuff.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk4CMZ0ACgkQrlYvE4MpobNMHwCggv7bZaDAYCwxoja+ek2e9+VC
HaIAoMM9V97gSfccgD9z1QPaqHZ6cZqB
=EYr7
-----END PGP SIGNATURE-----
More information about the selinux
mailing list