On Thu, 2013-12-05 at 17:12 +0100, Vidalie Hervé wrote: > Hello, > > Thank you for your answers. > > I have two remaining questions: > -I would like to create a policy package file to define add this file context mappings. How to add mapping rules and rules for automatically labeling created files? > -Where can I find the source of the policy I use ? (selinux-policy-targeted-3.7.19-195.el6_4.18.noarch) > I will give you an example For example lets say i want to create a policy package that associates system_u:object_r:httpd_sys_content_t:s0 with /mywww and everything below it. cat > mywww.te <<EOF policy_module(mywww, 1.0.0) gen_require(\` type httpd_sys_content_t ') EOF The above creates a file with name mywww.te The first line declares a new policy module of name mywww with version 1.0.0 The second line imports the httpd_sys_content_t type identifier. Type identifiers that are declared outside of this module need to be imported to this module before we can use it The system_u, object_r, and s0 identifiers do not need to be imported because they are core identifiers that are automatically imported when you declare a policy module (the first line) cat > mywww.fc <<EOF /mywww(/.*)? system_u:object_r:httpd_sys_content_t:s0 EOF The above creates a file with name mywww.fc The line in this file specified the file context It associates the security context of system_u:object_r:httpd_sys_content_t:s0 with /mywww and everything below it The (/.*)? is a posix regular expression statement make -f /usr/share/selinux/devel/Makefile mywww.pp The above command creates a mywww.pp file This is a policy package that we can use to load the policy into the system sudo semodule -i mywww.pp The above command loads the policy package into the system. This will be persistent To remove it: sudo semodule -r mywww See man semodule for more details on how to manage policy packages -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
