.te file in RPMs

[Russell Coker]

On Wed, 21 Apr 2004 02:20, "mike at flyn.org" <mike at flyn.org> wrote:
> I would like to learn the proper way for a package to install an associated
> te file, rebuild the SELinux policy and load the new policy.  Could someone
> point me in the proper direction?  Is there something better than "make
> reload" in the post-install script?

Currently there is no proper method.

Loading the policy in the post-install alone won't do it.  Any policy that is 
significant will add new file types, and the package which contains the 
policy (*) will have files that need to be labeled with those types.  This 
means that you would have to not only load the policy but label the files in 
the post-install script.  This is ugly.

(*)  I am assuming that you often want to have the .te files in the same 
package as the programs which need them.  For some programs there may be 
several programs that need the same policy (examples are xdm type programs, 
FTP servers, etc) and so it makes sense to have policy separate from the 
packages.  For the case of packages such as Postfix or Apache there is only 
one program that can possibly work with the policy so having two packages 
(one for policy and another for the actual package) seems at best wasteful, 
and at worst increases the chance of bugs relating to mis-matches between 
versions with no good cause.

I think that doing this in any convenient way will require a change to rpm.  
The policy will have to be loaded before any files are installed.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page