Up to now, if you had a working modular reference policy, you actually had had luck. There were some bugs in the toolchain that prevented this from working as intended.

  • optionals in base were not enabled. So if you built “mta” into base (or, lets say, “init”) the parts of the policy to deal with outside modules (e.g. postfix) were just dropped. So you basically had to build a monolithic policy if you want all the connecting rules between base and modules to work. This was fixed recently in refpolicy, but turned up some new bugs:
  • One thing turned up was type attributes being broken. When you loaded a certain combination (a couple of modules in base) suddenly tons of key rules would be missing (e.g. for relabeling files, basically any rule that applied to “file_type”, i.e. all files) This was fixed by Stephen Smalley in libsepol 1.12.3
  • When certain policy files “required” that your policy has certain permissions (e.g. “execute”) defined, this could cause checkpolicy to duplicate this permission, so you ended up having two execute permissions, which obviously didn’t work right all the time either. Fixed by Stephen Smalley in checkpolicy 1.30.2/1.30.3 (soon on your favourite anon CVS at sourceforge)

Thanks to all who helped tracking this down.

Looks like modular reference policy is now actually working as intended for me. ;-)