custom selinux policy

Thu Dec 1 01:09:27 UTC 2005

Laurent Jacquot wrote:
> On mar, 2005-11-29 at 15:16 -0500, Daniel J Walsh wrote:
>   
>> Laurent Jacquot wrote:
>>     
>>> On mar, 2005-11-29 at 11:32 -0500, Daniel J Walsh wrote:
>>>   
>>>       
>>>> Laurent Jacquot wrote:
>>>>     
>>>>         
>>>>> Hello,
>>>>> I can no longer build my custom selinux policy with recent upgrades (SE
>>>>> policy source replaced with SE policy).
>>>>> What is the new way (used to be make reload)?
>>>>>
>>>>> tx in advance
>>>>> 	jk
>>>>>
>>>>>   
>>>>>       
>>>>>           
>>>> You need to  use loadable modules.  Take a look a the man page for 
>>>> audit2allow, for some explanation.  I don't know if we have a good 
>>>> description available yet for loadable policy.
>>>>
>>>> The hardest part of converting your local.te into a loadable module will 
>>>> be writing the require section.
>>>> You need to define all types, class and roles in this section in order 
>>>> to get the loadable module.
>>>> ==================================================================================
>>>>        module local 1.0;
>>>>
>>>>        require {
>>>>                role system_r;
>>>>
>>>>                class fifo_file {  getattr ioctl };
>>>>
>>>>                type cupsd_config_t;
>>>>                type unconfined_t;
>>>>         };
>>>>
>>>>        allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl };
>>>> ==================================================================================
>>>>
>>>> -- 
>>>>     
>>>>         
>>> Thanks a lot for this info.
>>> BTW the audit2allow (policycoreutils-1.27.29-1) manpage isn't updated
>>> regarding the module stuff. Hopefully, the -M option is verbose
>>>
>>> Would you mind shed some light on the new file context definition? (used
>>> to be local.fc)
>>>
>>> Laurent
>>>
>>>
>>>
>>>   
>>>       
>> manpage looks correct on my machine?
>>
>> File context file should be the same.
>>
>>  checkmodule -M -m -o /tmp/local.mod /tmp/local.te
>> semodule_package -o /tmp/local.pp -m /tmp/local.mod -f /tmp/local.fc
>>     
>
> Will try as soon as I find time. Does this semanage thing is to be run
> each time a reboot occurs in order to load my custom modules or it
> recalls it automagically?
>   
Init will automagically load your custum policy
 > semodule -l
Shows all loadable modules currently in put policy.

> manpage is ok now that I deleted /var/cache/man/cat1/audit2allow.1.bz2.
> Is it a bug? - first time I see this behavior..
>
>   
I have no idea what happened
> Anyway, thanks a lot to all the giants managing to transition those
> udev, selinux, modular xorg, etc.. so smoothly.
>
>   
The wonder of OpenSource.
> Laurent
>
>
>   


--