Selinux V2 refpolicy contains an internal dependency such that it won't properly compile on gentoo if the selinux-apache module is included without the selinux-kerberos module. Reproducible: Always Steps to Reproduce: 1. Install latest V2 refpolicy from upstream, and generate appropriate ebuilds in a local portage overaly 2. Update system to use freshly installed policy 3. If not already installed, install selinux-apache policy. Actual Results: System will fail to install with error indicating that type httpd_keytab_t is not defined. This type is defined within the selinux-kerberos module. Although this is arguably an upstream issue, internal limitations of how V2 refpolicy currently works prevent it from being fixed upstream at this time. Additionally, Gentoo is somewhat unique in actually using the policy in a modular fashion; other distros (from what I've seen) use the whole thing as a big block, even if the affected applications aren't installed (e.g. selinux-apache policy will be installed, even if apache itself is not). Expected Results: System should compile and install properly when selinux-apache is installed and selinux-kerberos is not. This patch attempts to do two things: 0) Makes selinux-apache listen to the kerberos USE flag. 1) If the kerberos USE flag is NOT set, modify the selinux-apache policy to remove the dependency on selinux-kerberos so that policy will compile properly. 2) If the kerberos USE flag IS set, allow compile to proceed as normal. In either case, an einfo message is emitted to the user informing them of the need to clear or set the kerberos USE flag and recompile the selinux-apache policy if selinux-kerberos policy is removed or installed, as appropriate.
Created attachment 228907 [details] Patch to selinux-apache-2.20091215.ebuild Patch adds kerberos USE flag logic to selinux-apache policy
Just to clarify, this patch is necessary to allow us to move to SELinux V2 Refpolicy; it is not for current gentoo systems.
Patched in selinux-apache-2.20101213