I have SELinux policy that is compiled on Red Hat Enterprise Linux 5.
This policy fails to install on Red Hat Enterprise Linux 6 with the following message:
libsepol.print_missing_requirements: pbrun's global requirements were not met: type/attribute system_chkpwd_t (No such file or directory).
*
Is there a way to write SELinux policy so that It can be compiled on v 5.x and will run on 6.x ?
*
*
*
Thanks,
Brian
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
11-18-2011, 01:20 PM
Daniel J Walsh
SELinux policy for both Enterprise Linux 5 and 6
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/17/2011 08:05 PM, Brian Ginn wrote:
> I have SELinux policy that is compiled on Red Hat Enterprise Linux
> 5.
>
> This policy fails to install on Red Hat Enterprise Linux 6 with
> the following message:
>
> libsepol.print_missing_requirements: pbrun's global requirements
> were not met: type/attribute system_chkpwd_t (No such file or
> directory).
>
>
>
> Is there a way to write SELinux policy so that It can be compiled
> on v 5.x and will run on 6.x ?
>
>
>
>
>
>
>
> Thanks,
>
> Brian
>
That looks like a bug in RHEL6 policy then. Could you attach the
policy? You are supposed to be able to do this. We might need to add
a typealias to RHEL6.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
I have SELinux policy that is compiled on
Red Hat Enterprise Linux 5.
This policy fails to install on Red Hat
Enterprise Linux 6 with the following message:
libsepol.print_missing_requirements:
pbrun's global requirements were not met: type/attribute
system_chkpwd_t (No such file or directory).
This type does not exist on RHEL6. This is a problem why you can not
load your local policy. You probably just need to recompile your
policy on RHEL6. Another option would be to use "optional_policy"
block for interface calling.
For example
optional_policy(`
*auth_domtrans_chk_passwd(test_t)
')
If something is wrong with this interface then it won't be used. But
of course, then you will lost a part of functionality.
*
Is there a way to write SELinux policy so
that It can be compiled on v 5.x and will run on 6.x ?
*
*
*
Thanks,
Brian
Regards,
Miroslav
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
12-01-2011, 01:15 PM
Daniel J Walsh
SELinux policy for both Enterprise Linux 5 and 6
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/01/2011 06:03 AM, Miroslav Grepl wrote:
> On 11/18/2011 02:05 AM, Brian Ginn wrote:
>>
>> I have SELinux policy that is compiled on Red Hat Enterprise
>> Linux 5.
>>
>> This policy fails to install on Red Hat Enterprise Linux 6 with
>> the following message:
>>
>> libsepol.print_missing_requirements: pbrun's global requirements
>> were not met: type/attribute system_chkpwd_t (No such file or
>> directory).
>>
> This type does not exist on RHEL6. This is a problem why you can
> not load your local policy. You probably just need to recompile
> your policy on RHEL6. Another option would be to use
> "optional_policy" block for interface calling.
>
> For example
>
> optional_policy(` auth_domtrans_chk_passwd(test_t) ')
>
> If something is wrong with this interface then it won't be used.
> But of course, then you will lost a part of functionality.
>>
>>
>>
>> Is there a way to write SELinux policy so that It can be compiled
>> on v 5.x and will run on 6.x ?
>>
>
>>
>>
>>
>>
>>
>>
>> Thanks,
>>
>> Brian
>>
> Regards, Miroslav
>>
>>
>> -- selinux mailing list selinux@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Miroslav we need to add the type alias for this situation, though.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
On 12/01/2011 01:58 PM, Miroslav Grepl wrote:
> On 12/01/2011 03:15 PM, Daniel J Walsh wrote: On 12/01/2011 06:03
> AM, Miroslav Grepl wrote:
>>>> On 11/18/2011 02:05 AM, Brian Ginn wrote:
>>>>> I have SELinux policy that is compiled on Red Hat
>>>>> Enterprise Linux 5.
>>>>>
>>>>> This policy fails to install on Red Hat Enterprise Linux 6
>>>>> with the following message:
>>>>>
>>>>> libsepol.print_missing_requirements: pbrun's global
>>>>> requirements were not met: type/attribute system_chkpwd_t
>>>>> (No such file or directory).
>>>>>
>>>> This type does not exist on RHEL6. This is a problem why you
>>>> can not load your local policy. You probably just need to
>>>> recompile your policy on RHEL6. Another option would be to
>>>> use "optional_policy" block for interface calling.
>>>>
>>>> For example
>>>>
>>>> optional_policy(` auth_domtrans_chk_passwd(test_t) ')
>>>>
>>>> If something is wrong with this interface then it won't be
>>>> used. But of course, then you will lost a part of
>>>> functionality.
>>>>>
>>>>>
>>>>> Is there a way to write SELinux policy so that It can be
>>>>> compiled on v 5.x and will run on 6.x ?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Brian
>>>>>
>>>> Regards, Miroslav
>>>>>
>>>>> -- selinux mailing list selinux@lists.fedoraproject.org
>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>
>>>>
>>>> -- selinux mailing list selinux@lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> Miroslav we need to add the type alias for this situation, though.
>> I was thinking about that, but this is between major release. Is
>> this possible?
>
Well I guess we could hope that it works. I think where it will fall
apart is on things like the open access. So a policy build for RHEL5
might not work on RHEL6, if a confined domain needs to open anything...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
On 12/01/2011 03:15 PM, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 12/01/2011 06:03 AM, Miroslav Grepl wrote:
>> On 11/18/2011 02:05 AM, Brian Ginn wrote:
>>> I have SELinux policy that is compiled on Red Hat Enterprise
>>> Linux 5.
>>>
>>> This policy fails to install on Red Hat Enterprise Linux 6 with
>>> the following message:
>>>
>>> libsepol.print_missing_requirements: pbrun's global requirements
>>> were not met: type/attribute system_chkpwd_t (No such file or
>>> directory).
>>>
>> This type does not exist on RHEL6. This is a problem why you can
>> not load your local policy. You probably just need to recompile
>> your policy on RHEL6. Another option would be to use
>> "optional_policy" block for interface calling.
>>
>> For example
>>
>> optional_policy(` auth_domtrans_chk_passwd(test_t) ')
>>
>> If something is wrong with this interface then it won't be used.
>> But of course, then you will lost a part of functionality.
>>>
>>>
>>> Is there a way to write SELinux policy so that It can be compiled
>>> on v 5.x and will run on 6.x ?
>>>
>>>
>>>
>>>
>>>
>>>
>>> Thanks,
>>>
>>> Brian
>>>
>> Regards, Miroslav
>>>
>>> -- selinux mailing list selinux@lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
>> -- selinux mailing list selinux@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> Miroslav we need to add the type alias for this situation, though.
I was thinking about that, but this is between major release. Is this
possible?
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk7XjAUACgkQrlYvE4MpobPjCwCgl5KGLHffns cGuAbg8r8ud/td
> xXsAni/3l1Qy/ud5MtZj7tEKQEWfJSuV
> =Trss
> -----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
SELinux policy for both Enterprise Linux 5 and 6
