Bug 126774 - selinux-policy-strict build & post trigger problems
Summary: selinux-policy-strict build & post trigger problems
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-strict
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2004-06-26 12:31 UTC by Steve Grubb
Modified: 2007-11-30 22:10 UTC (History)
0 users

Clone Of:
Last Closed: 2005-02-09 18:55:32 UTC

Attachments (Terms of Use)

Description Steve Grubb 2004-06-26 12:31:26 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.4.2)

Description of problem:
I will report 3 problems in this PR. 2 are simple & one more complex.

First off, the %post handler of the src.rpm has a bug in it. There are
2 places where it tries to write to /etc/selinux/config. The first is
if there was something in /etc/sysconfig, the second is for new
installations with no customizations. In the second place, it sets the


when it should be:


Also, the targeted src.rpm sets the wrong type in the first place. I
suppose this was just a copy and paste issue since both src.rpms came
from policy a few weeks ago.

Secondly, the rpm never builds because of this:

%config(noreplace) %{_sysconfdir}/selinux/%{type}/src/policy/tunables/\*

The problem is the '\' before the '*'. Both strict & targeted have
this bug.

And lastly, (maybe this should be its own Problem Report)...if you do
install the strict policy (with the above corrections), the system
never makes it to a login prompt. There is some message about init
respawning process 6 too fast and it will restart in 5 minutes.
Initscripts are failing all over the place.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Found during build & package config review

Additional info:

Comment 1 Daniel Walsh 2004-07-20 15:07:00 UTC
If you install strict policy and configure it to run,  You will need
to relabel the file system.  

The post install is intended to do the following

On initial install default to targeted policy.
On Update install from FC2 (IE /etc/sysconfig/selinux exists) Maintain
strict policy
On Update of previous install policy, maintain the /etc/selinux/config.


Comment 2 Steve Grubb 2004-08-21 12:14:06 UTC
OK, problem 2 is solved. Your explanation of needing to relabel the
filesystem is exactly what's wrong in item 3. That leaves item 1.

The problem is really this: what if you install only the strict policy
on a new installation? Targeted doesn't exist, it wasn't installed.
There are no "Requires" on any package that forces both strict and
targeted to be installed.

The only way the system will boot is if SELINUXTYPE points to a valid
directory. It will fail to boot if its targeted and targeted isn't

There's 2 solutions as I see it:

1) Put a "Requires" tag on libselinux (or another package) that forces
both policies to be installed.

2) Fix the strict package to set itself as the default policy if its
installed on a new system.

Comment 3 Daniel Walsh 2004-08-25 19:46:59 UTC
You can't install with strict policy.  We don't support it in the

2) We don't want strict to default to strict because we can not
guarantee that targeted policy is or is not installed before strict
policy.   If both are installed we want targeted policy to be the default.

Comment 4 Daniel Walsh 2005-02-09 18:55:32 UTC
Fixed in current release

Note You need to log in before you can comment on or make changes to this bug.