.te file in RPMs

Jeff Johnson n3npq at nc.rr.com
Tue Apr 20 16:54:50 UTC 2004


mike at flyn.org wrote:

>>>I would like to learn the proper way for a package to install an
>>>      
>>>
>associated
>  
>
>>>te file, rebuild the SELinux policy and load the new policy.  Could
>>>      
>>>
>someone
>  
>
>>>point me in the proper direction?  Is there something better than "make
>>>reload" in the post-install script?
>>>      
>>>
> 
>  
>
>>Currently there is no proper method.
>>
>>Loading the policy in the post-install alone won't do it.  Any policy that
>>is significant will add new file types, and the package which contains the 
>>policy (*) will have files that need to be labeled with those types.  This 
>>means that you would have to not only load the policy but label the files
>>in the post-install script.  This is ugly.
>>    
>>
>
>Does this mean that this is not a blocker for Fedora Core 2, as the entry in
>the SELinux roadmap at http://fedora.redhat.com/projects/selinux/ seems to
>imply ("Fedora Core 2 release may happen after item 9 or 10...")?
>  
>

The means to save *.te files exists in rpm-4.3 and later.

In %files, adding %policy before a path will load the contents of the 
file into metadata.

If the path is relative, then it's relative to the build directory, and 
the contents goes only
into the header.

If the path is absolute, then it's relative to $RPM_BUILD_ROOT, and the 
contents goes
into both the header and the payload.

Now, all that being said, the entire mechanism is gonna be scrapped and 
redone, for
several reasons:
    1) policy is now composed of both macros and *.te files (and *.fc, 
handled already), and has policy versions
         and booleans and probably other "stuff" in the works that needs 
to be accomodated.
     2) policy is still changing too rapidly for it to make sense to 
burn into package headers that are about to be
          released as Fedora Core 2, which will persist long beyond the 
development cycle.

So it's time to back up and redesign how policy should be packaged into rpm.

So, "Not a blocker" afaik.

73 de Jeff





More information about the fedora-selinux-list mailing list