distributing custom policy

Stephen Smalley sds at tycho.nsa.gov
Wed Jun 15 18:41:20 UTC 2005

On Wed, 2005-06-15 at 14:27 -0400, Security News wrote:
> Anyone have any thoughts on the best way to install my own policy
> files on a few machines.
> I have to go out and find a way to install a policy file, install my
> own file_context files, and then compile and load the new custom
> policy and fc files.
> These systems would be running standard FC3 with the targetted policy,
> but without the targetted sources.
> I would like to set them all up so that they then have my own version
> of the strict policy, without having the source files installed.
> Is rpm the best way to attack this or are there better options out
> there?  As I see it I would have to include the
> policy-strict-<version>.rpm as well as setools-<version>.rpm within my
> own rpm file in order to load everything necessary to load the policy
> and relabel the filesystem.

setools isn't needed for SELinux operation; they are purely optional
tools for policy analysis and management.

It sounds like you want to perform a wholesale replacement of the policy
on these systems.  That should be feasible without requiring policy
sources on the end systems (in the future, it will be possible to also
distribute binary policy modules that can be linked into the base policy
on the end systems without requiring sources on the end systems, but
that support won't be available until FC5).  

I'm not sure why you need anything other than a selinux-policy-strict
package (which contains the binary policy file, the file_contexts
configuration, and other policy-related config files) with a modified
post scriptlet in the spec file to perform the conversion (e.g. switch
to permissive mode, change /etc/selinux/config, load new policy, relabel
filesystems, reboot).  Naturally, the devil is in the details; you'll
want to try it on a non-production system first.

Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list