[DSE-Dev] Bug#740562: policycoreutils: cannot disable modules defining types required only by disabled modules
Zack Weinberg
zackw at panix.com
Sun Mar 2 22:07:34 UTC 2014
Source: policycoreutils
Version: 2.2.5-1
Severity: normal
I'm trying to set up SELinux on an unusually cut-down system - it only
has one network service installed, plus all the infrastructure required
for that, about 200 packages in total - and since this is the first time
I've done anything with SELinux, it seemed best to cut the overall policy
size down to the absolute minimum in order to make it easier to reason
about. I managed to get it this far:
# semodule -l | grep -v Disabled
apache 2.7.3
application 1.2.0
authlogin 2.5.3
clock 1.7.1
consoletype 1.10.0
getty 1.10.0
inetd 1.13.0
init 1.20.6
libraries 2.10.1
locallogin 1.12.1
logging 1.20.4
miscfiles 1.11.0
modutils 1.14.1
mount 1.16.5
mta 2.7.3
This is an intermediate stage, obviously more stuff will be turned back
on, but there are several things in here I still don't want, like 'apache'
(the machine is NOT a web server). But look what happens when I try to
turn any of them off:
# semodule -d apache
libsepol.print_missing_requirements: yam's global requirements were not met: type/attribute httpd_sys_content_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule: Failed!
# semodule -l | grep yam
yam 1.5.0 Disabled
Since yam is not enabled, its requirements are irrelevant and should not be honored.
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (501, 'unstable'), (500, 'testing'), (101, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.13-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
More information about the SELinux-devel
mailing list