Ask Your Question
1

How to check selinux policy version on Fedora?

asked 2016-12-06 08:27:59 -0500

Mushroom gravatar image

Hi guys I have a question about listing selinux policies. I can list it, but: In older Fedora versions like 18,17,16 after i typed command

semodule -l

I had output like this:

examplepolicy 1.5.2

And 1.5.2 was version number. In fedora 24 and 25 i got just this:

examplepolicy

Or when i type command with 'full' attribute i also got priority numbers :

100 examplepolicy

Is there any way to know that policy version? Maybe with semodule cmd, or other tools. or simply from where those policies are stored (don't know exact location).

And if this is not a place to ask those question, please tell me where should i post it, to get my answer:) Or just delete this topic:)

Sincerely Mushroom

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2016-12-07 14:24:36 -0500

I was unable to find "official" information about it, but i recall the following:

The old module versioning never really worked well and was removed in favor of module "priorities".

Modules provided by upstream are generally installed with the 100 priority. Versions with a higher priority are local generally local customizations.

The module version with the highest priority associated with it takes precedence.

edit flag offensive delete link more

Comments

Hmm. that would be bad information. Priorities will not give you information about current policy version loaded in selinux. And i know that ppl from selinux do updates of particular policy modules from time to time.

Mushroom gravatar imageMushroom ( 2016-12-08 05:44:18 -0500 )edit

When distribution maintainers update modules, they do not update the module version. Traditionally the module versions were only updated by upstream reference policy. semodule -u was not used much if at all by anyone. Instead semodule -i was just used.I forgot what exactly the rationale was for this decision, and i know some were actually relying versions (i think people that use puppet to deploy modules where relying on it) but as you can see: versions and semodule -u were removed. priority 100 is generally used as the default priority, and anything with a higher priority is a local customiza

dac.override gravatar imagedac.override ( 2016-12-08 06:07:37 -0500 )edit

Question Tools

1 follower

Stats

Asked: 2016-12-06 08:27:59 -0500

Seen: 460 times

Last updated: Dec 06 '16