upgrade howto

upgrade howto

[antoine]

What is the safest way of upgrading libselinux and libsepol?

I attempted it a couple of weeks ago and had to resort to statically
linked copies of ls and tar to restore the previous version after the
upgrade broke my system. Clearly, I did something wrong. What is scary
is that a lot of the core system utilities are linked against libselinux
(ls, init, portage, etc) and that when I upgrade, it would seem that I
need to rebuild them (as just upgrading the library left them unusable)
- which is impossible without these basic tools... catch 22?

Note: this is on a Gentoo system where everything is compiled from
source and so a big rpm upgrade transaction is simply not an option
here.

Thanks
Antoine


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: upgrade howto

[Stephen Smalley]

On Wed, 2005-06-22 at 00:06 +0100, antoine wrote:
> What is the safest way of upgrading libselinux and libsepol?
> 
> I attempted it a couple of weeks ago and had to resort to statically
> linked copies of ls and tar to restore the previous version after the
> upgrade broke my system. Clearly, I did something wrong. What is scary
> is that a lot of the core system utilities are linked against libselinux
> (ls, init, portage, etc) and that when I upgrade, it would seem that I
> need to rebuild them (as just upgrading the library left them unusable)
> - which is impossible without these basic tools... catch 22?

I'm puzzled by this, as libselinux and libsepol should always remain
backward compatible.  If they weren't, we would be changing the shared
library version.  I've successfully upgraded to the latest upstream
libselinux and libsepol even on older systems from a source build (i.e.
a make install relabel in libselinux and libsepol) without problems in
the past.  More details on the nature of the breakage, please?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: upgrade howto

[Stephen Smalley]

On Wed, 2005-06-22 at 00:06 +0100, antoine wrote:
> What is the safest way of upgrading libselinux and libsepol?
> 
> I attempted it a couple of weeks ago and had to resort to statically
> linked copies of ls and tar to restore the previous version after the
> upgrade broke my system. Clearly, I did something wrong. What is scary
> is that a lot of the core system utilities are linked against libselinux
> (ls, init, portage, etc) and that when I upgrade, it would seem that I
> need to rebuild them (as just upgrading the library left them unusable)
> - which is impossible without these basic tools... catch 22?

Note btw that while upgrading should always work, downgrading is another
matter.  So if Gentoo was using a newer base version of libsepol and
libselinux (e.g. one from the sourceforge CVS tree), and you downgraded
to an older one (e.g. the last nsa.gov release, which was in March),
that could easily break your system as your userland may be depending on
newer interfaces.  nsa.gov releases are only made periodically,
typically when there is a new Linux kernel release (e.g. one should be
occurring soon for 2.6.12), whereas the sourceforge CVS tree tracks
development much more closely, and some distributions (like Fedora)
track the sourceforge CVS tree directly.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: upgrade howto

[antoine]

On Wed, 2005-06-22 at 07:54 -0400, Stephen Smalley wrote:
> On Wed, 2005-06-22 at 00:06 +0100, antoine wrote:
> > What is the safest way of upgrading libselinux and libsepol?
> > 
> > I attempted it a couple of weeks ago and had to resort to statically
> > linked copies of ls and tar to restore the previous version after the
> > upgrade broke my system. Clearly, I did something wrong. What is scary
> > is that a lot of the core system utilities are linked against libselinux
> > (ls, init, portage, etc) and that when I upgrade, it would seem that I
> > need to rebuild them (as just upgrading the library left them unusable)
> > - which is impossible without these basic tools... catch 22?
> 
> Note btw that while upgrading should always work, downgrading is another
> matter.  So if Gentoo was using a newer base version of libsepol and
> libselinux (e.g. one from the sourceforge CVS tree), and you downgraded
> to an older one (e.g. the last nsa.gov release, which was in March),
> that could easily break your system as your userland may be depending on
> newer interfaces.  nsa.gov releases are only made periodically,
> typically when there is a new Linux kernel release (e.g. one should be
> occurring soon for 2.6.12), whereas the sourceforge CVS tree tracks
> development much more closely, and some distributions (like Fedora)
> track the sourceforge CVS tree directly.

I was upgrading from CVS and clearly I must have done something wrong.
I've just upgraded by creating new Gentoo ebuild files for the just
released versions and it all worked fine.

Antoine


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.