Creating new roles
Stephen Smalley
sds at epoch.ncsc.mil
Thu Jan 13 21:51:04 UTC 2005
On Thu, 2005-01-13 at 16:47, Steve Brueckner wrote:
> I'm just getting started with SELinux. I've read a bunch and just installed
> FC3.
>
> I'm trying to add a new role, but can't figure out where roles are defined.
> The O'Reilly book says they're "scattered around the policy tree" and Debian
> references say they're in users.te, which doesn't appear to exist in FC3.
>
> If I can find where the few extant roles are defined, I can probably figure
> out how to define my own. Or should I be trying to do it from scratch by
> making a new file? In which case I could use some hints on how to do it.
By default, FC3 uses the "targeted" policy, which only confines specific
network services and does not have any real notion of user roles and
domains. You can switch to the "strict" policy by installing it (e.g.
yum install selinux-policy-strict*) and then using
system-config-securitylevel GUI to set the active policy to it and
rebooting, at which point it should automatically relabel. Or manually,
you can just edit /etc/selinux/config to set the SELINUXTYPE to strict,
reboot single user, and run fixfiles relabel by hand, then bring the
system up the rest of the way. Have you read the Fedora SELinux FAQ?
http://fedora.redhat.com/docs/selinux-faq-fc3/
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the fedora-selinux-list
mailing list