|Main Archive Page > Month Archives > selinux archives|
Stephen Smalley wrote:
> Is that the right place to check it (vs. upon sepol_policydb_set_vers,
> although checkpolicy/checkmodule don't presently use that)?
We could do it both in sepol_policydb_set_vers as well as in checkpolicy
(checkmodule doesn't allow the user to specify the version so I don't
there is a need for a check there). There is an advantage in doing the check
in checkpolicy as the user would be warned much earlier.
Unfortunately, I don't think we can call ERR() from
which means the user won't get a useful error message from, e.g. semodule.
The user ends up with a confusing error like this:
libsepol.policydb_read: policydb module version 7 does not match my
version range 4-6
libsepol.sepol_module_package_read: invalid module in module package (at section 0)
libsemanage.semanage_load_module: Error while reading from module file /etc/selinux/refpolicy/modules/tmp/modules/acct.pp. /usr/sbin/semodule: Failed!
> Also, what does this mean for automatic dowgrading of policy versions
> at policy load time? For example, if booting an old kernel with a
> newer policy that had MLS enabled.
The question is whether or not automatic downgrading in this case really
I'm not convinced that it does.