custom selinux policy
Laurent Jacquot
jk at lutty.net
Tue Nov 29 19:27:49 UTC 2005
On mar, 2005-11-29 at 11:32 -0500, Daniel J Walsh wrote:
> Laurent Jacquot wrote:
> > Hello,
> > I can no longer build my custom selinux policy with recent upgrades (SE
> > policy source replaced with SE policy).
> > What is the new way (used to be make reload)?
> >
> > tx in advance
> > jk
> >
> >
> You need to use loadable modules. Take a look a the man page for
> audit2allow, for some explanation. I don't know if we have a good
> description available yet for loadable policy.
>
> The hardest part of converting your local.te into a loadable module will
> be writing the require section.
> You need to define all types, class and roles in this section in order
> to get the loadable module.
> ==================================================================================
> module local 1.0;
>
> require {
> role system_r;
>
> class fifo_file { getattr ioctl };
>
> type cupsd_config_t;
> type unconfined_t;
> };
>
> allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl };
> ==================================================================================
>
> --
Thanks a lot for this info.
BTW the audit2allow (policycoreutils-1.27.29-1) manpage isn't updated
regarding the module stuff. Hopefully, the -M option is verbose
Would you mind shed some light on the new file context definition? (used
to be local.fc)
Laurent
More information about the fedora-devel-list
mailing list