How to apply new policy exactly?

[Stephen Smalley]

On Mon, 2006-09-18 at 18:02 +0800, Benjamin Tsai wrote:
> My purpose is to customize SELinux policies for my own daemon. 
> I want to create new user, role, type on my system.
> I thought I'll need policy sources to achieve the recompilation, so I
> start from refpolicy.

Clarification:  If you just want to create SELinux policy for your own
daemon, then you don't need policy sources anymore.  In FC5, policy
module support was introduced, so you can create, build, and install
your own policy module without needing the base policy sources at all.  

Still not clear as to whether you want strict policy or not from your
postings.  Do you want to confine everything, or just selected
processes?   Do you need to limit the actions of users, or just daemons?

Even if you want strict, I suspect you could just update your toolchain
and policy from FC6/devel rather than having to build from source
yourself.  

> On my box the directories you indicated are created automatically, so I
> think there're other problems. 
> 
> I've updated policy toolchain:
> selinux-policy-2.3.13-5
> libselinux-1.30.3-4.fc5
> selinux-policy-strict-2.3.13-5
> libsepol-1.12.26-1
> libsemanage-1.6.16-2
> policycoreutils-1.30.29-1
> checkpolicy-1.30.9-1.1

That version of checkpolicy isn't consistent with that libsepol.
Is that what is in FC5?  Or some mix of FC5 and devel?

> My refpolicy/src/policy/build.conf:
> 
> TYPE=strict-mcs
> NAME=refpolicy
> DISTRO=redhat
> DIRECT_INITRC=y
> MONOLITHIC=n
> 
> After the update, I re-compiled refpolicy source and got the following
> errors
> 
> libsepol.mls_read_range_helper: truncated range
> libsepol.sepol_module_package_read: invalid module in module package (at
> section 0)
> libsemanage.semanage_load_module: Error while reading from module file
> /etc/selinux/refpolicy/modules/tmp/base.pp.
> /usr/sbin/semodule:  Failed!
> make: *** [load] Error 1

-- 
Stephen Smalley
National Security Agency