distributing custom policy

Stephen Smalley sds at tycho.nsa.gov
Wed Jun 15 18:54:12 UTC 2005

On Wed, 2005-06-15 at 14:41 -0400, Stephen Smalley wrote:
> I'm not sure why you need anything other than a selinux-policy-strict
> package (which contains the binary policy file, the file_contexts
> configuration, and other policy-related config files) with a modified
> post scriptlet in the spec file to perform the conversion (e.g. switch
> to permissive mode, change /etc/selinux/config, load new policy, relabel
> filesystems, reboot).  Naturally, the devil is in the details; you'll
> want to try it on a non-production system first.

BTW, if it is a custom policy (not just the stock Fedora strict policy),
then you should give it another name other than strict and put it under
its own subtree of /etc/selinux to avoid conflicts (and potential
replacement by the Fedora strict policy upon subsequent updates).

Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list