Summary: | <net-nds/389-ds-base-1.3.0.2-r1 fails to build in hardened selinux profile | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Reto Gantenbein (ganto) <reto.gantenbein> |
Component: | SELinux | Assignee: | Sven Vermeulen (RETIRED) <swift> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | selinux |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 445974 | ||
Bug Blocks: | |||
Attachments: |
Fix against selinux/Makefile to use current SELINUXTYPE instead of hardcoded "targeted"
Ebuild fix for selinux Ebuild patch to use sec-policy/selinux-dirsrv instead |
Description
Reto Gantenbein (ganto)
2012-12-01 14:04:03 UTC
I guess you're running with a policy of strict, mcs or mls? If so, I'll draft up a patch to check the policy dir that is in use, but know that, if you ever switch towards a different profile, you might need to rebuild the package. Created attachment 331284 [details]
Fix against selinux/Makefile to use current SELINUXTYPE instead of hardcoded "targeted"
This fixes the build system to correctly parse the current loaded policy type (be it strict, targeted, mcs or mls).
Second fix on ebuild will follow shortly
Created attachment 331286 [details, diff]
Ebuild fix for selinux
This updates the ebuild to include the patch (and drops the previous selinux-related patch as it is now obsolete) and also loads in the policy. It drops the FEATURES="loadpolicy" part (as we don't support that anymore).
The above patches should help, but I haven't been able to test them yet. What we can also do is to move the SELinux policy from the package into its own (sec-policy/selinux-dirsrv) and (R)DEPEND on it. That will simplify the ebuild and build, and is more in line with how other packages work. It does require a small patch against the build system of 389-ds-base to make the selinux-based build (i.e. selinux/Makefile) a NOOP. It will also allow us to manage the policy similarly as others (including fixing policy issues) so that the 389-ds-base package doesn't need to be bumped for every SELinux policy change made. The downside is however that, if the 389-ds-base package provides an updated policy, we will not include it until we detect that and update our policy repository ourselves. Fabio, what's your take on this? Update the ebuild/Makefiles to continue including and loading the SELinux policy provided by the package, or update the ebuild/Makefiles to use sec-policy/selinux-dirsrv and move the SELinux policy stuff into our policy repository? It doesn't make any difference to me, feel free to implement it the way you like more. Ok, I'll include the dirsrv in our repository and manage it like we manage our other policy modules. I'll post the update against the ebuild/fix when I've finished that. Created attachment 341592 [details, diff]
Ebuild patch to use sec-policy/selinux-dirsrv instead
This is a patch against the ebuild to remove building the 389-ds-base provided policy, and instead relying on the sec-policy/selinux-dirsrv that we offer. This simplifies the build somewhat, as it doesn't need to take care of SELinux stuff anymore (except for still enabling --with-selinux).
Fixed in CVS. Thanks swift for taking care of this. Sorry, I've been busy this month! Much appreciated! Marking as fixed as 389-ds-base has no stable packages (so no need to wait until stabilization). |