distributing custom policy
Daniel J Walsh
dwalsh at redhat.com
Wed Jun 15 19:32:24 UTC 2005
Stephen Smalley wrote:
>On Wed, 2005-06-15 at 14:53 -0400, Security News wrote:
>
>
>>Sorry, in the first post I meant to say that I wanted to install the
>>policycoreutils<version>.rpm (the devil really is in the details.)
>>
>>--the reason for needing this rpm is that I am hoping to be able to
>>install a custom policy and file-labelling without installing the
>>source configuration files. This is just so that even a root user
>>could be kept from editing my policy.conf files. I need the coreutils
>>b/c if the source config files are not going to be present then
>>neither is the Makefile, so I would need to use "fixfiles relabel" and
>>"load_policy".
>>
>>Unless, there is a better way to load and relabel when not installing
>>the config source files.
>>
>>I am hoping to have this installation be performed by someone else
>>somewhere else, and to make the installation as mindless as possible
>>for them.
>>
>>
>
>policycoreutils is always needed for SELinux, so it should already be
>installed on the base FC3 systems running targeted policy. You would
>only need to install a different version of it if your strict policy
>relies on a newer base version of policycoreutils than the stock FC3 one
>(at which point you may want to check whether you also require a newer
>libsepol and libselinux as well).
>
>
>
Also fixfiles/restorecon/setfiles do not require policy sources to be
installed. They use the file_context files in
/etc/selinux/TYPE/contexts/files/ directory.
Dan
--
More information about the fedora-selinux-list
mailing list