I've been building syslog-ng RPMs, with the needed selinux module as a separate sub-package following the instructions at:
http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules
but there's a problem with the logics of having the selinux package "Requires: main package", as then the main package will get installed and started before there is a working policy installed.
So, is there any way of re-ordering this, without having the main package depend on the selinux package? i.e. I want to allow someone to install only the syslog-ng-2.0.4-12.i386.rpm if they don't want the selinux module, but I want the selinux module to be installed first if both are installed in the same operation.
My current srpm --> http://tanso.net/yum/packages/syslog-ng-2.0.4-12.src.rpm
-jf
Jan-Frode Myklebust wrote:
I've been building syslog-ng RPMs, with the needed selinux module as a separate sub-package following the instructions at:
http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules
but there's a problem with the logics of having the selinux package "Requires: main package", as then the main package will get installed and started before there is a working policy installed.
So, is there any way of re-ordering this, without having the main package depend on the selinux package? i.e. I want to allow someone to install only the syslog-ng-2.0.4-12.i386.rpm if they don't want the selinux module, but I want the selinux module to be installed first if both are installed in the same operation.
My current srpm --> http://tanso.net/yum/packages/syslog-ng-2.0.4-12.src.rpm
I think it would be better to just ship the policy pp file in your rpm.
But looking through your policy, most of it is already in the base policy.
allow syslogd_t device_t:sock_file { getattr unlink };
This looks like a bug, It should not happen
allow syslogd_t rsh_port_t:tcp_socket name_bind; allow syslogd_t inaddr_any_node_t:tcp_socket node_bind; allow syslogd_t self:tcp_socket { create listen bind setopt };
In FC7
allow syslogd_t syslogd_var_lib_t:dir { search write add_name }; allow syslogd_t syslogd_var_lib_t:file { create write getattr read };
This should be added to FC7
-jf
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
selinux@lists.fedoraproject.org