Re: custom selinux policy

[Daniel J Walsh <dwalsh@xxxxxxxxxx>]

Laurent Jacquot wrote:
> On mar, 2005-11-29 at 15:16 -0500, Daniel J Walsh wrote:
>   
> > Laurent Jacquot wrote:
> >     
> > > On mar, 2005-11-29 at 11:32 -0500, Daniel J Walsh wrote:
> > >   
> > >       
> > > > Laurent Jacquot wrote:
> > > >     
> > > >         
> > > > > Hello,
> > > > > I can no longer build my custom selinux policy with recent upgrades (SE
> > > > > policy source replaced with SE policy).
> > > > > What is the new way (used to be make reload)?
> > > > >
> > > > > tx in advance
> > > > > 	jk
> > > > >
> > > > >   
> > > > >       
> > > > >           
> > > > You need to  use loadable modules.  Take a look a the man page for 
> > > > audit2allow, for some explanation.  I don't know if we have a good 
> > > > description available yet for loadable policy.
> > > >
> > > > The hardest part of converting your local.te into a loadable module will 
> > > > be writing the require section.
> > > > You need to define all types, class and roles in this section in order 
> > > > to get the loadable module.
> > > > ==================================================================================
> > > >        module local 1.0;
> > > >
> > > >        require {
> > > >                role system_r;
> > > >
> > > >                class fifo_file {  getattr ioctl };
> > > >
> > > >                type cupsd_config_t;
> > > >                type unconfined_t;
> > > >         };
> > > >
> > > >        allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl };
> > > > ==================================================================================
> > > >
> > > > --
> > > >     
> > > >         
> > > Thanks a lot for this info.
> > > BTW the audit2allow (policycoreutils-1.27.29-1) manpage isn't updated
> > > regarding the module stuff. Hopefully, the -M option is verbose
> > >
> > > Would you mind shed some light on the new file context definition? (used
> > > to be local.fc)
> > >
> > > Laurent
> > >
> > >
> > >
> > >   
> > >       
> > manpage looks correct on my machine?
> >
> > File context file should be the same.
> >
> >  checkmodule -M -m -o /tmp/local.mod /tmp/local.te
> > semodule_package -o /tmp/local.pp -m /tmp/local.mod -f /tmp/local.fc
> >     
>
> Will try as soon as I find time. Does this semanage thing is to be run
> each time a reboot occurs in order to load my custom modules or it
> recalls it automagically?
>   
Init will automagically load your custum policy
> semodule -l
Shows all loadable modules currently in put policy.

> manpage is ok now that I deleted /var/cache/man/cat1/audit2allow.1.bz2.
> Is it a bug? - first time I see this behavior..
>
>   
I have no idea what happened
> Anyway, thanks a lot to all the giants managing to transition those
> udev, selinux, modular xorg, etc.. so smoothly.
>
>   
The wonder of OpenSource.
> Laurent
>
>
>   


--


--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list