Local modifications best practices?
Stephen Smalley
sds at tycho.nsa.gov
Thu Jul 10 20:15:24 UTC 2008
On Thu, 2008-07-10 at 22:05 +0200, Jan Kasprzak wrote:
> Hello,
>
> are there any best practices for storing local modifications to the
> security policy? Where to put local *.fc and *.te files and how to
> create and install the binary modules from them?
>
> For example - on my router I keep the state data
> (arpwatch, dhcpd.leases, etc) on a shared DRBD volume, so I need
> to add local *.fc file for this volume, in order arpwatch and dhcpd
> can access it.
>
> So far I have put the local *.te and *.fc files into /root/selinux,
> created /root/selinux/Makefile, and I use "make" for compiling the
> modules, and "make install" for installing them. Is there any canonical
> way of doing this on Fedora?
I don't think so, yet.
The policy packages install under /usr/share/selinux/$SELINUXTYPE.
Looks like some packages are installing
under /usr/share/selinux/packages/$PACKAGENAME, e.g. BackupPC is putting
its module .pp file there.
The recent semanage permissive support is dynamically creating
permissive domain modules under /var/lib/selinux but those are just
temporary files I think to generate a .pp file and install it - they
don't need to keep the .te file around afterward.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list