I think that up/downgrading to a different policy when the version only differs in the Debian part should unconditionally run selinux-policy-upgrade. When the upstream version is different then it should just prompt the user as it currently does.
As an aside when the selinux-policy-upgrade script was written it took several minutes to run on reasonably good hardware so run time was a factor in the decision to not make it run by default. Also while on the topic we need to get it to do a fcontext diff and run restorecon as they do in Fedora. Andreas Kuckartz <[email protected]> wrote: >Mika Pflüger: >>> You already have a default policy installed. I am leaving it >>> alone. Please check and update manually. >> >> That is normal for debian selinux policy upgrades and has been for >> the last years. You need to run selinux-policy-upgrade(8) to >> activate the new policy. > >I executed selinux-policy-upgrade using sudo with this result: > >Updating "default" policy >libsepol.permission_copy_callback: Module epmd depends on permission >status in class system, not satisfied (No such file or directory). >libsemanage.semanage_link_sandbox: Link packages failed (No such file >or directory). >semodule: Failed! > >> If this is good design can be discussed (and especially I think the >> message could advertise selinux-policy-upgrade directly instead of >> letting the user figure that bit out themselves). > >Yes, I think that it the user should be offered to execute it at the >end of the installation. > >> From looking at the headers of your mail (which arrived at my >> inbox only via your direct mail, not via the lists), I'd think that >> the tor-relay might be what causes debian mailing list servers to >> reject your mail. > >Thanks a *lot* for that hint! > >Cheers, >Andreas > >_______________________________________________ >SELinux-devel mailing list >[email protected] >http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel -- Sent from my Samsung Galaxy Note 2 with K-9 Mail. _______________________________________________ SELinux-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel
