custom selinux policy
Laurent Jacquot
jk at lutty.net
Wed Nov 30 20:56:48 UTC 2005
On mar, 2005-11-29 at 15:16 -0500, Daniel J Walsh wrote:
> Laurent Jacquot wrote:
> > On mar, 2005-11-29 at 11:32 -0500, Daniel J Walsh wrote:
> >
> >> Laurent Jacquot wrote:
> >>
> >>> Hello,
> >>> I can no longer build my custom selinux policy with recent upgrades (SE
> >>> policy source replaced with SE policy).
> >>> What is the new way (used to be make reload)?
> >>>
> >>> tx in advance
> >>> jk
> >>>
> >>>
> >>>
> >> You need to use loadable modules. Take a look a the man page for
> >> audit2allow, for some explanation. I don't know if we have a good
> >> description available yet for loadable policy.
> >>
> >> The hardest part of converting your local.te into a loadable module will
> >> be writing the require section.
> >> You need to define all types, class and roles in this section in order
> >> to get the loadable module.
> >> ==================================================================================
> >> module local 1.0;
> >>
> >> require {
> >> role system_r;
> >>
> >> class fifo_file { getattr ioctl };
> >>
> >> type cupsd_config_t;
> >> type unconfined_t;
> >> };
> >>
> >> allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl };
> >> ==================================================================================
> >>
> >> --
> >>
> > Thanks a lot for this info.
> > BTW the audit2allow (policycoreutils-1.27.29-1) manpage isn't updated
> > regarding the module stuff. Hopefully, the -M option is verbose
> >
> > Would you mind shed some light on the new file context definition? (used
> > to be local.fc)
> >
> > Laurent
> >
> >
> >
> >
> manpage looks correct on my machine?
>
> File context file should be the same.
>
> checkmodule -M -m -o /tmp/local.mod /tmp/local.te
> semodule_package -o /tmp/local.pp -m /tmp/local.mod -f /tmp/local.fc
Will try as soon as I find time. Does this semanage thing is to be run
each time a reboot occurs in order to load my custom modules or it
recalls it automagically?
manpage is ok now that I deleted /var/cache/man/cat1/audit2allow.1.bz2.
Is it a bug? - first time I see this behavior..
Anyway, thanks a lot to all the giants managing to transition those
udev, selinux, modular xorg, etc.. so smoothly.
Laurent
More information about the fedora-devel-list
mailing list