-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 28.05.2012 11:13, Sven Vermeulen wrote:
> Hi guys 'n girls,
>
> The next iteration of our policies is now in the hardened-dev
> overlay. For ~arch users, this is one you will probably need to
> install through a small workaround, but first the changes:
>
> #417937 Do not audit access to device_t:chr_file by dmesg
> #417857 Support dynamic /run directories #413719
> Correct udev context in /run/udev <no bug> Backporting
> SEPostgresql changes <no bug> Update udev file contexts
> (udevadm and udevd binaries) #417821 Mark
> /etc/selinux/*/modules as semanage_store_t (fixes permission issue
> on .../modules/tmp)
>
> ~arch users will, if they have -r9 or -r10 installed, need to do
> the following steps first:
>
> """ setenforce 0 semanage fcontext -a -t semanage_store_t
> "/etc/selinux/strict/modules" restorecon -R
> /etc/selinux/strict/modules setenforce 1 """
>
> This is because otherwise any attempt to load the new policy will
> result in a failure. Of course, substitute "strict" with your
> SELinux policy type you have installed.
>
> This also means that r9 and r10 are no candidates for
> stabilization. And since r8 is fairly low on changes, r11 is the
> next stabilization candidate.
>
> Wkr, Sven Vermeulen
>
Hi,
I've got some problems with r11 on mcs. The error is:
Creating mcs base module base.conf
Compiling mcs base module
/usr/bin/checkmodule: loading policy configuration from base.conf
base.conf:2184:ERROR 'permission execute is not defined' at token ';'
on line 2184:
( h1 dom h2 );
mlsconstrain db_schema { drop getattr setattr relabelfrom execute }
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/base.mod] Error 1
The error is introduced in
"0098-all-sepostgresql_updates_backport-r11.patch".
In older versions db_schema is db_language (which by the way is in the
older versions defined two times). If I remove the "execute" from
db_schema it builds. I don't know if db_schema needs execute, if not
it should be dropped, otherwise execute should be defined for
db_schema, I think.
WKR
Hinnerk van Bruinehsen
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJPxOuhAAoJEJwwOFaNFkYc1hkIAI0IPqIVub5DgflWjMaxo2dW
fWFsXmtyDWQ6peRf+FgKszwDe+XHw1IL9bW9UdVDd7/ClN+8tJnTm5Da1cd5txN4
gx+QyUiahw6WL4sgb9aQZo+Fkfm1YpdU3VsFvjtLbxvmiRG6LHAuwY7e8nvEDC5h
REkpjMc/F5tWaT0WGd8UobYzY75MABGaH94ZwInIkl3KVPT8dMM6OSJ8Z4tmeWaT
q45moIerdk5mQFu/cYcB3V/29QSx3Z3nI/Ehk547RWoAvBqCNyn6GknpF0nh+jYb
q4N28fsnnHnj55g39LHZJqV2IqfRzIsWsgcUmJKzCI7As7VMePLNZtlB0shl7/Y=
=mCYS
-----END PGP SIGNATURE-----
