Where should an RPM install .te/.fc files?
mike at flyn.org
mike at flyn.org
Wed Jun 16 16:48:58 UTC 2004
>> I maintain an RPM that installs .te and .fc files. In the past,
>> contributing to the system's SELinux policy could be done by installing
>> files in /etc/security/selinux/src/policy (I'm not sure this is right
>> to begin with):
>> %policy %{_sysconfdir}/security/selinux/src/policy/macros/
>> pam_mount_macros.te
>> However, now policies may be in /etc/selinux/strict/src/policy/ or /
>> etc/selinux/targeted/src/policy/. It is also possible that only one of
>> these directories exists.
> I don't think that your macros file fits in with the targetted policy, and
> I think that the general aims of the targetted policy don't involve that
> sort of thing (but this hasn't been considered much so far).
> It's probably best to install the files under only the strict directory.
> It is also possible that only one of those directories exists.
Installing exclusively under the strict policy make sense. The things I am
explicitly allowing should probably already be allowed by the targeted
policy. However, what about the case where a user does not have the strict
policy installed? In this case my RPM will install its policy files to an
otherwise empty policy source tree. This may result in directories like
/etc/selinux/strict being orphans -- not owned by any RPM. Should this be
avoided somehow?
Thanks for your help!
--
Mike
More information about the fedora-selinux-list
mailing list