Troubles with policy development, part #1
Some time ago I got a question from a guy about some troubles with his policy development . I decided to write a set of blogs related to common troubles which either we or other folks could have in policy development.
Now back to the problem. This guy got a similar error message:
“/usr/bin/semodule_link: loading package libsepol.print_missing_requirements: rhcs’s global requirements were not met: type/attribute corosync_exec_t
/usr/bin/semodule_link: Error while linking packages”
through building of his custom policy.
We use “optional_policy” statement to declare a rule which could be invalid if an appropriate module (module containing a declaration of an interface) is disabled/removed or is not declared. Probably the following example is better than my definition.
allows the fenced binary to execute the Corosync Cluster Engine. Now how could this rule become invalid? Easily by disabling of the corosync policy module which contains this interface definition.
# semodule -d corosync
This is a way how we do the policy really modular. You can remove a module from the policy and everything should work fine, only a daemon or a user program will be without SELinux protection. You can check this out and make your policy being as minimal as you wish. Just be careful with removing of the unconfineduser policy module (see http://danwalsh.livejournal.com/42394.html).
So if you use an interface without “optional” statement and you disable/remove or do not add a module declaration into the module-*.conf file, you will get exactly the same error message.
Note: If the “optional_policy” declaration contains more rules then all these rules will become invalid for this block.