How to apply new policy exactly?
Stephen Smalley
sds at tycho.nsa.gov
Tue Sep 19 12:57:52 UTC 2006
On Tue, 2006-09-19 at 10:20 +0800, Benjamin Tsai wrote:
> I want to write policy for my own daemon, instead of a strict policy.
> So, I stepped on the wrong road from the beginning?
> Though, according to the document "Configuring the SELinux Policy", it
> indicates a path to policy source.
That's because it was written before modular policy support existed.
Useful links:
Fedora Core 5 SELinux FAQ http://fedora.redhat.com/docs/selinux-faq-fc5/
Fedora SELinux Wiki http://fedoraproject.org/wiki/SELinux/
Dan and Joshua, it looks like the links to various Tresys site pages are no longer valid.
> Well then, what's a correct build path? Are the following steps correct?
> write foo.te file, and execute
> #checkmodule -M -m foo.te -o foo.mod
> Then
> #semodule -i foo.mod
semodule acts on a policy module package rather than just a module,
which you can create via:
semodule_package -o foo.pp -m foo.mod
If you have file contexts as well, you can bundle them within the
package, as in:
semodule_package -o foo.pp -m foo.mod -f foo.fc
But this can all be handled more easily via the sequence described in:
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961577
> Besides, is it then impossible to customize my own base policy package?
> Or I shall start over and write my own base module word by word?
It isn't impossible, but in many cases, it is no longer necessary - you
can define your own policy modules and add them, or you can use semanage
to customize other local settings, while still being able to just use
the Fedora-provided base policy and any updates to it.
You can certainly replace the entire policy and just use the refpolicy
from oss.tresys.com, but if you don't need to do so, then it is just
making more work for yourself.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list