distributing custom policy

Daniel J Walsh dwalsh at redhat.com
Wed Jun 15 19:32:24 UTC 2005

Stephen Smalley wrote:

>On Wed, 2005-06-15 at 14:53 -0400, Security News wrote:
>>Sorry, in the first post I meant to say that I wanted to install the
>>policycoreutils<version>.rpm  (the devil really is in the details.)
>>--the reason for needing this rpm is that I am hoping to be able to
>>install a custom policy and file-labelling without installing the
>>source configuration files.  This is just so that even a root user
>>could be kept from editing my policy.conf files.  I need the coreutils
>>b/c if the source config files are not going to be present then
>>neither is the Makefile, so I would need to use "fixfiles relabel" and
>>Unless, there is a better way to load and relabel when not installing
>>the config source files.
>>I am hoping to have this installation be performed by someone else
>>somewhere else, and to make the installation as mindless as possible
>>for them.
>policycoreutils is always needed for SELinux, so it should already be
>installed on the base FC3 systems running targeted policy.  You would
>only need to install a different version of it if your strict policy
>relies on a newer base version of policycoreutils than the stock FC3 one
>(at which point you may want to check whether you also require a newer
>libsepol and libselinux as well).
Also fixfiles/restorecon/setfiles do not require policy sources to be 
installed.  They use the file_context files in

/etc/selinux/TYPE/contexts/files/ directory.



More information about the fedora-selinux-list mailing list