1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
On 28.05.2012 11:13, Sven Vermeulen wrote: |
5 |
> Hi guys 'n girls, |
6 |
> |
7 |
> The next iteration of our policies is now in the hardened-dev |
8 |
> overlay. For ~arch users, this is one you will probably need to |
9 |
> install through a small workaround, but first the changes: |
10 |
> |
11 |
> #417937 Do not audit access to device_t:chr_file by dmesg |
12 |
> #417857 Support dynamic /run directories #413719 |
13 |
> Correct udev context in /run/udev <no bug> Backporting |
14 |
> SEPostgresql changes <no bug> Update udev file contexts |
15 |
> (udevadm and udevd binaries) #417821 Mark |
16 |
> /etc/selinux/*/modules as semanage_store_t (fixes permission issue |
17 |
> on .../modules/tmp) |
18 |
> |
19 |
> ~arch users will, if they have -r9 or -r10 installed, need to do |
20 |
> the following steps first: |
21 |
> |
22 |
> """ setenforce 0 semanage fcontext -a -t semanage_store_t |
23 |
> "/etc/selinux/strict/modules" restorecon -R |
24 |
> /etc/selinux/strict/modules setenforce 1 """ |
25 |
> |
26 |
> This is because otherwise any attempt to load the new policy will |
27 |
> result in a failure. Of course, substitute "strict" with your |
28 |
> SELinux policy type you have installed. |
29 |
> |
30 |
> This also means that r9 and r10 are no candidates for |
31 |
> stabilization. And since r8 is fairly low on changes, r11 is the |
32 |
> next stabilization candidate. |
33 |
> |
34 |
> Wkr, Sven Vermeulen |
35 |
> |
36 |
|
37 |
Hi, |
38 |
|
39 |
I've got some problems with r11 on mcs. The error is: |
40 |
|
41 |
Creating mcs base module base.conf |
42 |
Compiling mcs base module |
43 |
/usr/bin/checkmodule: loading policy configuration from base.conf |
44 |
base.conf:2184:ERROR 'permission execute is not defined' at token ';' |
45 |
on line 2184: |
46 |
( h1 dom h2 ); |
47 |
mlsconstrain db_schema { drop getattr setattr relabelfrom execute } |
48 |
/usr/bin/checkmodule: error(s) encountered while parsing configuration |
49 |
make: *** [tmp/base.mod] Error 1 |
50 |
|
51 |
The error is introduced in |
52 |
"0098-all-sepostgresql_updates_backport-r11.patch". |
53 |
|
54 |
In older versions db_schema is db_language (which by the way is in the |
55 |
older versions defined two times). If I remove the "execute" from |
56 |
db_schema it builds. I don't know if db_schema needs execute, if not |
57 |
it should be dropped, otherwise execute should be defined for |
58 |
db_schema, I think. |
59 |
|
60 |
WKR |
61 |
|
62 |
Hinnerk van Bruinehsen |
63 |
|
64 |
|
65 |
|
66 |
-----BEGIN PGP SIGNATURE----- |
67 |
Version: GnuPG v2.0.19 (GNU/Linux) |
68 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ |
69 |
|
70 |
iQEcBAEBAgAGBQJPxOuhAAoJEJwwOFaNFkYc1hkIAI0IPqIVub5DgflWjMaxo2dW |
71 |
fWFsXmtyDWQ6peRf+FgKszwDe+XHw1IL9bW9UdVDd7/ClN+8tJnTm5Da1cd5txN4 |
72 |
gx+QyUiahw6WL4sgb9aQZo+Fkfm1YpdU3VsFvjtLbxvmiRG6LHAuwY7e8nvEDC5h |
73 |
REkpjMc/F5tWaT0WGd8UobYzY75MABGaH94ZwInIkl3KVPT8dMM6OSJ8Z4tmeWaT |
74 |
q45moIerdk5mQFu/cYcB3V/29QSx3Z3nI/Ehk547RWoAvBqCNyn6GknpF0nh+jYb |
75 |
q4N28fsnnHnj55g39LHZJqV2IqfRzIsWsgcUmJKzCI7As7VMePLNZtlB0shl7/Y= |
76 |
=mCYS |
77 |
-----END PGP SIGNATURE----- |