From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.4.2) Gecko/20040308 Description of problem: I will report 3 problems in this PR. 2 are simple & one more complex. First off, the %post handler of the src.rpm has a bug in it. There are 2 places where it tries to write to /etc/selinux/config. The first is if there was something in /etc/sysconfig, the second is for new installations with no customizations. In the second place, it sets the variable: SELINUXTYPE=targeted when it should be: SELINUXTYPE=strict Also, the targeted src.rpm sets the wrong type in the first place. I suppose this was just a copy and paste issue since both src.rpms came from policy a few weeks ago. Secondly, the rpm never builds because of this: %config(noreplace) %{_sysconfdir}/selinux/%{type}/src/policy/tunables/\* The problem is the '\' before the '*'. Both strict & targeted have this bug. And lastly, (maybe this should be its own Problem Report)...if you do install the strict policy (with the above corrections), the system never makes it to a login prompt. There is some message about init respawning process 6 too fast and it will restart in 5 minutes. Initscripts are failing all over the place. Version-Release number of selected component (if applicable): selinux-policy-strict-1.13.8-1 How reproducible: Always Steps to Reproduce: 1. Found during build & package config review Additional info:
If you install strict policy and configure it to run, You will need to relabel the file system. The post install is intended to do the following On initial install default to targeted policy. On Update install from FC2 (IE /etc/sysconfig/selinux exists) Maintain strict policy On Update of previous install policy, maintain the /etc/selinux/config. Dan
OK, problem 2 is solved. Your explanation of needing to relabel the filesystem is exactly what's wrong in item 3. That leaves item 1. The problem is really this: what if you install only the strict policy on a new installation? Targeted doesn't exist, it wasn't installed. There are no "Requires" on any package that forces both strict and targeted to be installed. The only way the system will boot is if SELINUXTYPE points to a valid directory. It will fail to boot if its targeted and targeted isn't installed. There's 2 solutions as I see it: 1) Put a "Requires" tag on libselinux (or another package) that forces both policies to be installed. 2) Fix the strict package to set itself as the default policy if its installed on a new system.
You can't install with strict policy. We don't support it in the installer. 2) We don't want strict to default to strict because we can not guarantee that targeted policy is or is not installed before strict policy. If both are installed we want targeted policy to be the default.
Fixed in current release