distributing custom policy

Stephen Smalley sds at tycho.nsa.gov
Wed Jun 15 18:56:04 UTC 2005

On Wed, 2005-06-15 at 14:53 -0400, Security News wrote:
> Sorry, in the first post I meant to say that I wanted to install the
> policycoreutils<version>.rpm  (the devil really is in the details.)
> --the reason for needing this rpm is that I am hoping to be able to
> install a custom policy and file-labelling without installing the
> source configuration files.  This is just so that even a root user
> could be kept from editing my policy.conf files.  I need the coreutils
> b/c if the source config files are not going to be present then
> neither is the Makefile, so I would need to use "fixfiles relabel" and
> "load_policy".
> Unless, there is a better way to load and relabel when not installing
> the config source files.
> I am hoping to have this installation be performed by someone else
> somewhere else, and to make the installation as mindless as possible
> for them.

policycoreutils is always needed for SELinux, so it should already be
installed on the base FC3 systems running targeted policy.  You would
only need to install a different version of it if your strict policy
relies on a newer base version of policycoreutils than the stock FC3 one
(at which point you may want to check whether you also require a newer
libsepol and libselinux as well).

Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list