Re: selinux local policy from F10 to F11?

[Dominick Grift <domg472 gmail com>]

On Wed, 2009-06-17 at 22:37 +0100, mike cloaked wrote:
> If you have generated local selinux policy using semanage fcontext for
> specific files or directories in F10, is there now a recommended way
> to automate retrieval of these and then create the same rule set for
> F11 after a clean F11 install?
> 
> I know that you can do
> # semanage fcontext -C -l and send the output to a file.
> This will generate lines such as
> SELinux fcontext                                   type               Context
> 
> /home/mike/.cxoffice(/.*)?                         all files
> system_u:object_r:textrel_shlib_t:s0
> /home/mike/.cxoffice/dotwine/drive_c/Windows/System/SHLWAPI.DLL all
> files        system_u:object_r:textrel_shlib_t:s0
> /home/mike/.cxoffice/dotwine/drive_c/Windows/System/ole32.dll all
> files         system_u:object_r:textrel_shlib_t:s0
> /home/mike/.wine(/.*)?                             all files
> system_u:object_r:textrel_shlib_t:s0
> 
> However I guess that saving this will still not allow these rules to
> be written back to the new system in an automated way unless a script
> is written to parse the lines and create a set of new selinux fcontext
> lines that will create each local
> rule with something like:
> semanage fcontext -a -t textrel_shlib_t /home/mike/.cxoffice(/.*)?
> with one for each original line in the output generated from the old
> system before it was replaced?
> 
> If there is a cleaner way to achieve this I would like to hear about it?
> 
> 

You can create a local policy module and distribute that:

mything.te

policy_module(mything, 0.0.1)

mything.fc

HOME_DIR/.cxoffice/dotwine/bla/bla/mything.so --
gen_context(system_u:object_r:textrel_shlib_t, s0)

"build and install"

make -f /usr/share/selinux/devel/Makefile
semodule -i mything.pp
restorecon -R -v /home/mike/.cxoffice/dotwine

That should work