fedora-selinux January 2012 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: circular policy references generated by sepo

Re: circular policy references generated by sepolgen

From: Miroslav Grepl <mgrepl_at_nospam>
Date: Wed Jan 11 2012 - 10:16:16 GMT
To: Michael Atighetchi <matighet@bbn.com>

On 01/10/2012 10:59 PM, Michael Atighetchi wrote:
> All,
>
> I have a number of custom policies that I developed on a Fedora 14
> system by using sepolgen and iterating over the policies up to a point
> where they are violation free.
>
> When trying to install those policies on another system, I've run into
> a circular dependency issue. No matter what order I call the 6 .sh
> scripts created by sepolgen, I always end up with missing required
> types, e.g.,:
>
> ----
> [proxyuser@lime selinux]$ sudo ./CZwd.sh
> Building and Loading Policy
> + make -f /usr/share/selinux/devel/Makefile
> make: Nothing to be done for `all'.
> + /usr/sbin/semodule -i CZwd.pp
> libsepol.print_missing_requirements: CZwd's global requirements were
> not met: type/attribute CZfwa_t (No such file or directory).
> libsemanage.semanage_link_sandbox: Link packages failed (No such file
> or directory).
> /usr/sbin/semodule: Failed!
> ----
>
> Presumably, one can break these cycles by defining all required types
> first.
> Is there a manual way to do this using the SELinux tools?
>
> Thanks
> Michael
>
>
You should use "optional_policy" statement in your policies to prevent
this issue. I wrote a blog about this

http://mgrepl.wordpress.com/2011/12/04/troubles-with-policy-development-part-1/

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux