Thank you for the reply, I now a bit closer to the right track. :) To work the build path around, I start with "audit2allow." With my box installed with selinux-policy-strict-2.3.7-2.fc5 and turned selinux mode to "permissive," I run audit2allow as follows: #audit2allow -m dmesg -d > dmesg.te #checkmodule -M -m -o dmesg.mod dmesg.te #semodule_package -o dmesg.pp -m dmesg.mod #semodule -I dmesg.pp Then I had the following errors: /etc/selinux/strict/contexts/files/file_contexts: Multiple different specifications for /usr/bin/apt-get (system_u:object_r:rpm_exec_t:s0 and system_u:object_r:apt_exec_t:s0). /etc/selinux/strict/contexts/files/file_contexts: Multiple different specifications for /usr/bin/apt-shell (system_u:object_r:rpm_exec_t:s0 and system_u:object_r:apt_exec_t:s0). I googled out your reply on same errors in 2004 and it says: "You shouldn't enable both rpm.te and dpkg.te in the same policy; they conflict." Without policy source, how can I disable either rpm.te or dpkg.te? Besides, I tried to mark rules related to rpm in my .te file, but it didn't fix the problem. Here is a copy of my dmesg.te file: #################################################################### module dmesg 1.0; require { class blk_file { ioctl read }; class dbus send_msg; class dir { add_name create relabelfrom relabelto remove_name rename reparent rmdir search setattr write }; class fd use; class fifo_file { getattr ioctl write }; class file { append create execute getattr ioctl lock read relabelfrom relabelto rename setattr unlink write }; class lnk_file { create read relabelfrom relabelto rename setattr }; class process { execmem setexec }; class security load_policy; class shm { associate getattr read unix_read unix_write write }; class sock_file { unlink write }; class unix_stream_socket connectto; type apmd_log_t; type auditctl_exec_t; type auditd_exec_t; type auditd_log_t; type etc_t; type faillog_t; type file_context_t; type file_t; type fonts_t; type hald_t; type ice_tmp_t; type initrc_exec_t; type krb5_conf_t; type lastlog_t; type lib_t; type man_t; type nscd_var_run_t; type pam_t; type policy_config_t; type removable_device_t; type rpm_log_t; type rpm_var_lib_t; type sbin_t; # type security_t; type selinux_config_t; type semanage_read_lock_t; type semanage_store_t; type semanage_trans_lock_t; type staff_t; type staff_tmpfs_t; type system_dbusd_t; type system_dbusd_var_run_t; type tmp_t; type user_home_dir_t; type user_home_t; type usr_t; type var_log_t; type var_run_t; type var_t; type xdm_t; type xdm_xserver_t; role staff_r; role system_r; }; allow hald_t staff_t:dbus send_msg; allow pam_t lib_t:file { execute getattr read }; allow pam_t nscd_var_run_t:dir search; allow pam_t xdm_t:fd use; allow pam_t xdm_t:fifo_file { getattr ioctl write }; allow staff_t apmd_log_t:file read; allow staff_t auditctl_exec_t:file { relabelto setattr }; allow staff_t auditd_exec_t:file { relabelto setattr }; allow staff_t auditd_log_t:dir { relabelto setattr }; allow staff_t etc_t:dir { add_name remove_name write }; allow staff_t etc_t:file { create relabelfrom relabelto rename setattr write }; allow staff_t etc_t:lnk_file create; allow staff_t faillog_t:file read; allow staff_t file_context_t:dir { add_name remove_name write }; allow staff_t file_context_t:file { create rename setattr unlink write }; allow staff_t file_t:file read; allow staff_t fonts_t:file read; allow staff_t hald_t:dbus send_msg; allow staff_t ice_tmp_t:sock_file write; allow staff_t initrc_exec_t:file { relabelto setattr }; allow staff_t krb5_conf_t:file { read write }; allow staff_t lastlog_t:file read; allow staff_t lib_t:dir { add_name remove_name write }; allow staff_t lib_t:file { create relabelfrom relabelto rename setattr unlink write }; allow staff_t lib_t:lnk_file { create relabelfrom relabelto rename setattr }; allow staff_t man_t:dir { add_name remove_name write }; allow staff_t man_t:file { create relabelfrom relabelto rename setattr write }; allow staff_t policy_config_t:dir { add_name remove_name write }; allow staff_t policy_config_t:file { create read rename unlink write }; allow staff_t removable_device_t:blk_file { ioctl read }; allow staff_t rpm_log_t:file append; allow staff_t rpm_var_lib_t:dir { add_name write }; allow staff_t rpm_var_lib_t:file { create lock read write }; allow staff_t sbin_t:dir { add_name remove_name write }; allow staff_t sbin_t:file { create relabelfrom relabelto rename setattr write }; #allow staff_t security_t:security load_policy; allow staff_t selinux_config_t:dir { add_name create remove_name rename rmdir write }; allow staff_t selinux_config_t:file { create rename unlink write }; allow staff_t semanage_read_lock_t:file { lock read write }; allow staff_t semanage_store_t:dir { remove_name rename rmdir write }; allow staff_t semanage_store_t:file { read unlink }; allow staff_t semanage_trans_lock_t:file { lock read write }; allow staff_t self:process { execmem setexec }; allow staff_t system_dbusd_t:unix_stream_socket connectto; allow staff_t system_dbusd_var_run_t:sock_file write; allow staff_t tmp_t:file { execute read write }; allow staff_t tmp_t:sock_file { unlink write }; allow staff_t user_home_dir_t:dir { add_name create rename rmdir write }; allow staff_t user_home_dir_t:file { create ioctl read relabelfrom rename setattr write }; allow staff_t user_home_dir_t:lnk_file { create read }; allow staff_t user_home_t:dir { add_name create remove_name rename reparent rmdir write }; allow staff_t user_home_t:file { create ioctl lock relabelto rename setattr unlink }; allow staff_t user_home_t:lnk_file create; allow staff_t usr_t:dir { add_name create relabelfrom relabelto remove_name setattr write }; allow staff_t usr_t:file { create relabelfrom relabelto rename setattr write }; allow staff_t var_log_t:dir { add_name create relabelfrom write }; allow staff_t var_log_t:file read; allow staff_t var_run_t:dir { add_name remove_name write }; allow staff_t var_run_t:file { create unlink write }; allow staff_t var_t:dir { add_name remove_name write }; allow staff_t var_t:file { create setattr unlink write }; allow staff_t xdm_xserver_t:unix_stream_socket connectto; allow xdm_xserver_t staff_t:fd use; allow xdm_xserver_t staff_t:shm { associate getattr read unix_read unix_write write }; allow xdm_xserver_t staff_tmpfs_t:file { read write }; ################################################################### -----Original Message----- From: Stephen Smalley [mailto:sds@xxxxxxxxxxxxx] Sent: Tuesday, September 19, 2006 8:58 PM To: Benjamin Tsai Cc: Christopher J. PeBenito; Daniel J Walsh; Karl MacMillan; Joshua Brindle; fedora-selinux-list@xxxxxxxxxx Subject: RE: How to apply new policy exactly? On Tue, 2006-09-19 at 10:20 +0800, Benjamin Tsai wrote: > I want to write policy for my own daemon, instead of a strict policy. > So, I stepped on the wrong road from the beginning? > Though, according to the document "Configuring the SELinux Policy", it > indicates a path to policy source. That's because it was written before modular policy support existed. Useful links: Fedora Core 5 SELinux FAQ http://fedora.redhat.com/docs/selinux-faq-fc5/ Fedora SELinux Wiki http://fedoraproject.org/wiki/SELinux/ Dan and Joshua, it looks like the links to various Tresys site pages are no longer valid. > Well then, what's a correct build path? Are the following steps correct? > write foo.te file, and execute > #checkmodule -M -m foo.te -o foo.mod > Then > #semodule -i foo.mod semodule acts on a policy module package rather than just a module, which you can create via: semodule_package -o foo.pp -m foo.mod If you have file contexts as well, you can bundle them within the package, as in: semodule_package -o foo.pp -m foo.mod -f foo.fc But this can all be handled more easily via the sequence described in: http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961577 > Besides, is it then impossible to customize my own base policy package? > Or I shall start over and write my own base module word by word? It isn't impossible, but in many cases, it is no longer necessary - you can define your own policy modules and add them, or you can use semanage to customize other local settings, while still being able to just use the Fedora-provided base policy and any updates to it. You can certainly replace the entire policy and just use the refpolicy from oss.tresys.com, but if you don't need to do so, then it is just making more work for yourself. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list