[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: custom selinux policy



Laurent Jacquot wrote:
On mar, 2005-11-29 at 15:16 -0500, Daniel J Walsh wrote:
Laurent Jacquot wrote:
On mar, 2005-11-29 at 11:32 -0500, Daniel J Walsh wrote:
Laurent Jacquot wrote:
Hello,
I can no longer build my custom selinux policy with recent upgrades (SE
policy source replaced with SE policy).
What is the new way (used to be make reload)?

tx in advance
	jk

You need to use loadable modules. Take a look a the man page for audit2allow, for some explanation. I don't know if we have a good description available yet for loadable policy.

The hardest part of converting your local.te into a loadable module will be writing the require section. You need to define all types, class and roles in this section in order to get the loadable module.
==================================================================================
       module local 1.0;

       require {
               role system_r;

               class fifo_file {  getattr ioctl };

               type cupsd_config_t;
               type unconfined_t;
        };

       allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl };
==================================================================================

--
Thanks a lot for this info.
BTW the audit2allow (policycoreutils-1.27.29-1) manpage isn't updated
regarding the module stuff. Hopefully, the -M option is verbose

Would you mind shed some light on the new file context definition? (used
to be local.fc)

Laurent



manpage looks correct on my machine?

File context file should be the same.

 checkmodule -M -m -o /tmp/local.mod /tmp/local.te
semodule_package -o /tmp/local.pp -m /tmp/local.mod -f /tmp/local.fc

Will try as soon as I find time. Does this semanage thing is to be run
each time a reboot occurs in order to load my custom modules or it
recalls it automagically?
Init will automagically load your custum policy
> semodule -l
Shows all loadable modules currently in put policy.

manpage is ok now that I deleted /var/cache/man/cat1/audit2allow.1.bz2.
Is it a bug? - first time I see this behavior..

I have no idea what happened
Anyway, thanks a lot to all the giants managing to transition those
udev, selinux, modular xorg, etc.. so smoothly.

The wonder of OpenSource.
Laurent




--



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]