On Wed, 2005-06-15 at 14:27 -0400, Security News wrote: > Anyone have any thoughts on the best way to install my own policy > files on a few machines. > > I have to go out and find a way to install a policy file, install my > own file_context files, and then compile and load the new custom > policy and fc files. > > These systems would be running standard FC3 with the targetted policy, > but without the targetted sources. > > I would like to set them all up so that they then have my own version > of the strict policy, without having the source files installed. > > Is rpm the best way to attack this or are there better options out > there? As I see it I would have to include the > policy-strict-<version>.rpm as well as setools-<version>.rpm within my > own rpm file in order to load everything necessary to load the policy > and relabel the filesystem. setools isn't needed for SELinux operation; they are purely optional tools for policy analysis and management. It sounds like you want to perform a wholesale replacement of the policy on these systems. That should be feasible without requiring policy sources on the end systems (in the future, it will be possible to also distribute binary policy modules that can be linked into the base policy on the end systems without requiring sources on the end systems, but that support won't be available until FC5). I'm not sure why you need anything other than a selinux-policy-strict package (which contains the binary policy file, the file_contexts configuration, and other policy-related config files) with a modified post scriptlet in the spec file to perform the conversion (e.g. switch to permissive mode, change /etc/selinux/config, load new policy, relabel filesystems, reboot). Naturally, the devil is in the details; you'll want to try it on a non-production system first. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
