custom selinux policy
Daniel J Walsh
dwalsh at redhat.com
Thu Dec 1 01:09:27 UTC 2005
Laurent Jacquot wrote:
> On mar, 2005-11-29 at 15:16 -0500, Daniel J Walsh wrote:
>
>> Laurent Jacquot wrote:
>>
>>> On mar, 2005-11-29 at 11:32 -0500, Daniel J Walsh wrote:
>>>
>>>
>>>> Laurent Jacquot wrote:
>>>>
>>>>
>>>>> Hello,
>>>>> I can no longer build my custom selinux policy with recent upgrades (SE
>>>>> policy source replaced with SE policy).
>>>>> What is the new way (used to be make reload)?
>>>>>
>>>>> tx in advance
>>>>> jk
>>>>>
>>>>>
>>>>>
>>>>>
>>>> You need to use loadable modules. Take a look a the man page for
>>>> audit2allow, for some explanation. I don't know if we have a good
>>>> description available yet for loadable policy.
>>>>
>>>> The hardest part of converting your local.te into a loadable module will
>>>> be writing the require section.
>>>> You need to define all types, class and roles in this section in order
>>>> to get the loadable module.
>>>> ==================================================================================
>>>> module local 1.0;
>>>>
>>>> require {
>>>> role system_r;
>>>>
>>>> class fifo_file { getattr ioctl };
>>>>
>>>> type cupsd_config_t;
>>>> type unconfined_t;
>>>> };
>>>>
>>>> allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl };
>>>> ==================================================================================
>>>>
>>>> --
>>>>
>>>>
>>> Thanks a lot for this info.
>>> BTW the audit2allow (policycoreutils-1.27.29-1) manpage isn't updated
>>> regarding the module stuff. Hopefully, the -M option is verbose
>>>
>>> Would you mind shed some light on the new file context definition? (used
>>> to be local.fc)
>>>
>>> Laurent
>>>
>>>
>>>
>>>
>>>
>> manpage looks correct on my machine?
>>
>> File context file should be the same.
>>
>> checkmodule -M -m -o /tmp/local.mod /tmp/local.te
>> semodule_package -o /tmp/local.pp -m /tmp/local.mod -f /tmp/local.fc
>>
>
> Will try as soon as I find time. Does this semanage thing is to be run
> each time a reboot occurs in order to load my custom modules or it
> recalls it automagically?
>
Init will automagically load your custum policy
> semodule -l
Shows all loadable modules currently in put policy.
> manpage is ok now that I deleted /var/cache/man/cat1/audit2allow.1.bz2.
> Is it a bug? - first time I see this behavior..
>
>
I have no idea what happened
> Anyway, thanks a lot to all the giants managing to transition those
> udev, selinux, modular xorg, etc.. so smoothly.
>
>
The wonder of OpenSource.
> Laurent
>
>
>
--
More information about the fedora-devel-list
mailing list