How to apply new policy exactly?

Benjamin Tsai benjamin.tsai at intervideo.com
Tue Sep 19 02:20:41 UTC 2006 

I want to write policy for my own daemon, instead of a strict policy.
So, I stepped on the wrong road from the beginning?
Though, according to the document "Configuring the SELinux Policy", it
indicates a path to policy source.

Well then, what's a correct build path? Are the following steps correct?
write foo.te file, and execute
#checkmodule -M -m foo.te -o foo.mod
Then
#semodule -i foo.mod

Besides, is it then impossible to customize my own base policy package?
Or I shall start over and write my own base module word by word?

-----Original Message-----
From: Stephen Smalley [mailto:sds at tycho.nsa.gov] 
Sent: Monday, September 18, 2006 9:09 PM
To: Benjamin Tsai
Cc: Christopher J. PeBenito; Daniel J Walsh; Karl MacMillan; Joshua
Brindle; fedora-selinux-list at redhat.com
Subject: RE: How to apply new policy exactly?

On Mon, 2006-09-18 at 18:02 +0800, Benjamin Tsai wrote:
> My purpose is to customize SELinux policies for my own daemon. 
> I want to create new user, role, type on my system.
> I thought I'll need policy sources to achieve the recompilation, so I
> start from refpolicy.

Clarification:  If you just want to create SELinux policy for your own
daemon, then you don't need policy sources anymore.  In FC5, policy
module support was introduced, so you can create, build, and install
your own policy module without needing the base policy sources at all.  

Still not clear as to whether you want strict policy or not from your
postings.  Do you want to confine everything, or just selected
processes?   Do you need to limit the actions of users, or just daemons?

Even if you want strict, I suspect you could just update your toolchain
and policy from FC6/devel rather than having to build from source
yourself.  

> On my box the directories you indicated are created automatically, so
I
> think there're other problems. 
> 
> I've updated policy toolchain:
> selinux-policy-2.3.13-5
> libselinux-1.30.3-4.fc5
> selinux-policy-strict-2.3.13-5
> libsepol-1.12.26-1
> libsemanage-1.6.16-2
> policycoreutils-1.30.29-1
> checkpolicy-1.30.9-1.1

That version of checkpolicy isn't consistent with that libsepol.
Is that what is in FC5?  Or some mix of FC5 and devel?

> My refpolicy/src/policy/build.conf:
> 
> TYPE=strict-mcs
> NAME=refpolicy
> DISTRO=redhat
> DIRECT_INITRC=y
> MONOLITHIC=n
> 
> After the update, I re-compiled refpolicy source and got the following
> errors
> 
> libsepol.mls_read_range_helper: truncated range
> libsepol.sepol_module_package_read: invalid module in module package
(at
> section 0)
> libsemanage.semanage_load_module: Error while reading from module file
> /etc/selinux/refpolicy/modules/tmp/base.pp.
> /usr/sbin/semodule:  Failed!
> make: *** [load] Error 1

-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list