On Wed, 21 Apr 2004 02:20, "mike@xxxxxxxx" <mike@xxxxxxxx> wrote: > I would like to learn the proper way for a package to install an associated > te file, rebuild the SELinux policy and load the new policy. Could someone > point me in the proper direction? Is there something better than "make > reload" in the post-install script? Currently there is no proper method. Loading the policy in the post-install alone won't do it. Any policy that is significant will add new file types, and the package which contains the policy (*) will have files that need to be labeled with those types. This means that you would have to not only load the policy but label the files in the post-install script. This is ugly. (*) I am assuming that you often want to have the .te files in the same package as the programs which need them. For some programs there may be several programs that need the same policy (examples are xdm type programs, FTP servers, etc) and so it makes sense to have policy separate from the packages. For the case of packages such as Postfix or Apache there is only one program that can possibly work with the policy so having two packages (one for policy and another for the actual package) seems at best wasteful, and at worst increases the chance of bugs relating to mis-matches between versions with no good cause. I think that doing this in any convenient way will require a change to rpm. The policy will have to be loaded before any files are installed. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
