Red Hat Bugzilla – Bug 126774
selinux-policy-strict build & post trigger problems
Last modified: 2007-11-30 17:10:45 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.4.2)
Description of problem:
I will report 3 problems in this PR. 2 are simple & one more complex.
First off, the %post handler of the src.rpm has a bug in it. There are
2 places where it tries to write to /etc/selinux/config. The first is
if there was something in /etc/sysconfig, the second is for new
installations with no customizations. In the second place, it sets the
when it should be:
Also, the targeted src.rpm sets the wrong type in the first place. I
suppose this was just a copy and paste issue since both src.rpms came
from policy a few weeks ago.
Secondly, the rpm never builds because of this:
The problem is the '\' before the '*'. Both strict & targeted have
And lastly, (maybe this should be its own Problem Report)...if you do
install the strict policy (with the above corrections), the system
never makes it to a login prompt. There is some message about init
respawning process 6 too fast and it will restart in 5 minutes.
Initscripts are failing all over the place.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Found during build & package config review
If you install strict policy and configure it to run, You will need
to relabel the file system.
The post install is intended to do the following
On initial install default to targeted policy.
On Update install from FC2 (IE /etc/sysconfig/selinux exists) Maintain
On Update of previous install policy, maintain the /etc/selinux/config.
OK, problem 2 is solved. Your explanation of needing to relabel the
filesystem is exactly what's wrong in item 3. That leaves item 1.
The problem is really this: what if you install only the strict policy
on a new installation? Targeted doesn't exist, it wasn't installed.
There are no "Requires" on any package that forces both strict and
targeted to be installed.
The only way the system will boot is if SELINUXTYPE points to a valid
directory. It will fail to boot if its targeted and targeted isn't
There's 2 solutions as I see it:
1) Put a "Requires" tag on libselinux (or another package) that forces
both policies to be installed.
2) Fix the strict package to set itself as the default policy if its
installed on a new system.
You can't install with strict policy. We don't support it in the
2) We don't want strict to default to strict because we can not
guarantee that targeted policy is or is not installed before strict
policy. If both are installed we want targeted policy to be the default.
Fixed in current release