custom selinux policy

Laurent Jacquot jk at lutty.net
Wed Nov 30 20:56:48 UTC 2005 

On mar, 2005-11-29 at 15:16 -0500, Daniel J Walsh wrote:
> Laurent Jacquot wrote:
> > On mar, 2005-11-29 at 11:32 -0500, Daniel J Walsh wrote:
> >   
> >> Laurent Jacquot wrote:
> >>     
> >>> Hello,
> >>> I can no longer build my custom selinux policy with recent upgrades (SE
> >>> policy source replaced with SE policy).
> >>> What is the new way (used to be make reload)?
> >>>
> >>> tx in advance
> >>> 	jk
> >>>
> >>>   
> >>>       
> >> You need to  use loadable modules.  Take a look a the man page for 
> >> audit2allow, for some explanation.  I don't know if we have a good 
> >> description available yet for loadable policy.
> >>
> >> The hardest part of converting your local.te into a loadable module will 
> >> be writing the require section.
> >> You need to define all types, class and roles in this section in order 
> >> to get the loadable module.
> >> ==================================================================================
> >>        module local 1.0;
> >>
> >>        require {
> >>                role system_r;
> >>
> >>                class fifo_file {  getattr ioctl };
> >>
> >>                type cupsd_config_t;
> >>                type unconfined_t;
> >>         };
> >>
> >>        allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl };
> >> ==================================================================================
> >>
> >> -- 
> >>     
> > Thanks a lot for this info.
> > BTW the audit2allow (policycoreutils-1.27.29-1) manpage isn't updated
> > regarding the module stuff. Hopefully, the -M option is verbose
> >
> > Would you mind shed some light on the new file context definition? (used
> > to be local.fc)
> >
> > Laurent
> >
> >
> >
> >   
> manpage looks correct on my machine?
> 
> File context file should be the same.
> 
>  checkmodule -M -m -o /tmp/local.mod /tmp/local.te
> semodule_package -o /tmp/local.pp -m /tmp/local.mod -f /tmp/local.fc

Will try as soon as I find time. Does this semanage thing is to be run
each time a reboot occurs in order to load my custom modules or it
recalls it automagically?

manpage is ok now that I deleted /var/cache/man/cat1/audit2allow.1.bz2.
Is it a bug? - first time I see this behavior..

Anyway, thanks a lot to all the giants managing to transition those
udev, selinux, modular xorg, etc.. so smoothly.

Laurent

More information about the fedora-devel-list mailing list