Hi,
In the current Fedora spec file, libselinux has libsetrans as a prereq, thereby pulling it in on libselinux updates for all users regardless of policy. However, libsetrans presumes that MCS is enabled and always appends :s0 to contexts when converting to raw format if they lack it. This breaks (for example) a system running strict policy, as libselinux then starts using the MCS-specific libsetrans and it starts appending :so to raw contexts, but the kernel then rejects those contexts since it does not have a MLS-enabled policy.
libsetrans is supposed to be optional, with libselinux gracefully falling back to no translation if it is absent. I can possibly see making it a dependency of MCS-enabled targeted policy packages, but not of libselinux. Yes?
Stephen Smalley wrote:
Hi,
In the current Fedora spec file, libselinux has libsetrans as a prereq, thereby pulling it in on libselinux updates for all users regardless of policy. However, libsetrans presumes that MCS is enabled and always appends :s0 to contexts when converting to raw format if they lack it. This breaks (for example) a system running strict policy, as libselinux then starts using the MCS-specific libsetrans and it starts appending :so to raw contexts, but the kernel then rejects those contexts since it does not have a MLS-enabled policy.
libsetrans is supposed to be optional, with libselinux gracefully falling back to no translation if it is absent. I can possibly see making it a dependency of MCS-enabled targeted policy packages, but not of libselinux. Yes?
Yes for now you can just disable the translation. Edit /etc/mcs.conf and unconmment disable line. MCS Targeted policy will be available by default in tonights rawhide.
On Wed, 2005-09-14 at 14:21 -0400, Daniel J Walsh wrote:
Yes for now you can just disable the translation. Edit /etc/mcs.conf and unconmment disable line. MCS Targeted policy will be available by default in tonights rawhide.
Ok, uncommenting the disable line has restored the system to a working state again.
Stephen Smalley wrote:
On Wed, 2005-09-14 at 14:21 -0400, Daniel J Walsh wrote:
Yes for now you can just disable the translation. Edit /etc/mcs.conf and unconmment disable line. MCS Targeted policy will be available by default in tonights rawhide.
Ok, uncommenting the disable line has restored the system to a working state again.
I am updating the library to disable it if mls is not enabled.
selinux@lists.fedoraproject.org