On Tue, 2006-09-19 at 10:20 +0800, Benjamin Tsai wrote: > I want to write policy for my own daemon, instead of a strict policy. > So, I stepped on the wrong road from the beginning? > Though, according to the document "Configuring the SELinux Policy", it > indicates a path to policy source. That's because it was written before modular policy support existed. Useful links: Fedora Core 5 SELinux FAQ http://fedora.redhat.com/docs/selinux-faq-fc5/ Fedora SELinux Wiki http://fedoraproject.org/wiki/SELinux/ Dan and Joshua, it looks like the links to various Tresys site pages are no longer valid. > Well then, what's a correct build path? Are the following steps correct? > write foo.te file, and execute > #checkmodule -M -m foo.te -o foo.mod > Then > #semodule -i foo.mod semodule acts on a policy module package rather than just a module, which you can create via: semodule_package -o foo.pp -m foo.mod If you have file contexts as well, you can bundle them within the package, as in: semodule_package -o foo.pp -m foo.mod -f foo.fc But this can all be handled more easily via the sequence described in: http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961577 > Besides, is it then impossible to customize my own base policy package? > Or I shall start over and write my own base module word by word? It isn't impossible, but in many cases, it is no longer necessary - you can define your own policy modules and add them, or you can use semanage to customize other local settings, while still being able to just use the Fedora-provided base policy and any updates to it. You can certainly replace the entire policy and just use the refpolicy from oss.tresys.com, but if you don't need to do so, then it is just making more work for yourself. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
