I want to use the kerberos_read_home_content interface method, but it seems to be a newer method that doesn't exist on RHEL 6.0, but it does on RHEL 6.5. Is there a way to build a single policy that will take advantage of this call if its there, but not fail to compile/install if it is not?
On 03/05/2014 10:35 PM, Jayson Hurst wrote:
I want to use the kerberos_read_home_content interface method, but it seems to be a newer method that doesn't exist on RHEL 6.0, but it does on RHEL 6.5. Is there a way to build a single policy that will take advantage of this call if its there, but not fail to compile/install if it is not?
Yes, you want to use "optional_policy" block .
http://mgrepl.wordpress.com/2012/03/23/when-should-you-use-the-optional_poli...
I had tried the following, but it still complains about the missing kerberos_read_home_content call.
optional_policy(` kerberos_rw_config(vasd_t) kerberos_use(vasd_t) optional_policy(` kerberos_read_home_content(vasd_t) ') ')
Date: Thu, 6 Mar 2014 08:57:27 +0100 From: mgrepl@redhat.com To: selinux@lists.fedoraproject.org CC: swazup@hotmail.com Subject: Re: Is there a way to use newer SELinux interface calls, but still compile on machines that don't have them.
On 03/05/2014 10:35 PM, Jayson Hurst wrote:
I want to use the kerberos_read_home_content interface method, but it seems to be a newer method that doesn't exist on RHEL 6.0, but it does on RHEL 6.5. Is there a way to build a single policy that will take advantage of this call if its there, but not fail to compile/install if it is not?
Yes, you want to use "optional_policy" block .
http://mgrepl.wordpress.com/2012/03/23/when-should-you-use-the-optional_poli...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Right option_policy only covers missing types not missing interfaces. You need to back port the interface. It is only source code.
On 03/06/2014 12:28 PM, Jayson Hurst wrote:
I had tried the following, but it still complains about the missing kerberos_read_home_content call.
optional_policy(` kerberos_rw_config(vasd_t) kerberos_use(vasd_t) optional_policy(` kerberos_read_home_content(vasd_t) ') ')
Date: Thu, 6 Mar 2014 08:57:27 +0100 From: mgrepl@redhat.com To: selinux@lists.fedoraproject.org CC: swazup@hotmail.com Subject: Re: Is there a way to use newer SELinux interface calls, but still
compile on machines that don't have them.
On 03/05/2014 10:35 PM, Jayson Hurst wrote:
I want to use the kerberos_read_home_content interface method, but it seems to be a newer method that doesn't exist on RHEL 6.0, but it does on RHEL 6.5. Is there a way to build a single policy that will take advantage of this call if its there, but not fail to compile/install if it is not?
Yes, you want to use "optional_policy" block .
http://mgrepl.wordpress.com/2012/03/23/when-should-you-use-the-optional_poli...
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Thanks Dan, I didn't realize that optional_policy was for types only.
Date: Thu, 6 Mar 2014 13:21:04 -0500 From: dwalsh@redhat.com To: swazup@hotmail.com; mgrepl@redhat.com; selinux@lists.fedoraproject.org Subject: Re: Is there a way to use newer SELinux interface calls, but still compile on machines that don't have them.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Right option_policy only covers missing types not missing interfaces. You need to back port the interface. It is only source code.
On 03/06/2014 12:28 PM, Jayson Hurst wrote:
I had tried the following, but it still complains about the missing kerberos_read_home_content call.
optional_policy(` kerberos_rw_config(vasd_t) kerberos_use(vasd_t) optional_policy(` kerberos_read_home_content(vasd_t) ') ')
Date: Thu, 6 Mar 2014 08:57:27 +0100 From: mgrepl@redhat.com To: selinux@lists.fedoraproject.org CC: swazup@hotmail.com Subject: Re: Is there a way to use newer SELinux interface calls, but still
compile on machines that don't have them.
On 03/05/2014 10:35 PM, Jayson Hurst wrote:
I want to use the kerberos_read_home_content interface method, but it seems to be a newer method that doesn't exist on RHEL 6.0, but it does on RHEL 6.5. Is there a way to build a single policy that will take advantage of this call if its there, but not fail to compile/install if it is not?
Yes, you want to use "optional_policy" block .
http://mgrepl.wordpress.com/2012/03/23/when-should-you-use-the-optional_poli...
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlMYvJAACgkQrlYvE4MpobO49QCfQHAruPmP0FIHi/hZpXt6upl+ Ku4AniSEX1uZkXsDW3RmfawMW/AV6aVE =TriK -----END PGP SIGNATURE-----
selinux@lists.fedoraproject.org