[DSE-Dev] refpolicy REMOVED from testing
Russell Coker
russell at coker.com.au
Thu Dec 12 10:48:41 UTC 2013
I think that up/downgrading to a different policy when the version only differs in the Debian part should unconditionally run selinux-policy-upgrade. When the upstream version is different then it should just prompt the user as it currently does.
As an aside when the selinux-policy-upgrade script was written it took several minutes to run on reasonably good hardware so run time was a factor in the decision to not make it run by default.
Also while on the topic we need to get it to do a fcontext diff and run restorecon as they do in Fedora.
Andreas Kuckartz <a.kuckartz at ping.de> wrote:
>Mika Pflüger:
>>> You already have a default policy installed. I am leaving it
>>> alone. Please check and update manually.
>>
>> That is normal for debian selinux policy upgrades and has been for
>> the last years. You need to run selinux-policy-upgrade(8) to
>> activate the new policy.
>
>I executed selinux-policy-upgrade using sudo with this result:
>
>Updating "default" policy
>libsepol.permission_copy_callback: Module epmd depends on permission
>status in class system, not satisfied (No such file or directory).
>libsemanage.semanage_link_sandbox: Link packages failed (No such file
>or directory).
>semodule: Failed!
>
>> If this is good design can be discussed (and especially I think the
>> message could advertise selinux-policy-upgrade directly instead of
>> letting the user figure that bit out themselves).
>
>Yes, I think that it the user should be offered to execute it at the
>end of the installation.
>
>> From looking at the headers of your mail (which arrived at my
>> inbox only via your direct mail, not via the lists), I'd think that
>> the tor-relay might be what causes debian mailing list servers to
>> reject your mail.
>
>Thanks a *lot* for that hint!
>
>Cheers,
>Andreas
>
>_______________________________________________
>SELinux-devel mailing list
>SELinux-devel at lists.alioth.debian.org
>http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel
--
Sent from my Samsung Galaxy Note 2 with K-9 Mail.
More information about the SELinux-devel
mailing list