Thank you all for your answers -----Message d'origine----- De : Dominick Grift [mailto:dominick.grift@xxxxxxxxx] Envoyé : jeudi 5 décembre 2013 17:26 À : Vidalie Hervé Cc : Daniel J Walsh; Bruno Wolff III; selinux@xxxxxxxxxxxxxxxxxxxxxxx Objet : Re: priority between file context rules On Thu, 2013-12-05 at 17:12 +0100, Vidalie Hervé wrote: > Hello, > > Thank you for your answers. > > I have two remaining questions: > -I would like to create a policy package file to define add this file context mappings. How to add mapping rules and rules for automatically labeling created files? > -Where can I find the source of the policy I use ? (selinux-policy-targeted-3.7.19-195.el6_4.18.noarch) > I will give you an example For example lets say i want to create a policy package that associates system_u:object_r:httpd_sys_content_t:s0 with /mywww and everything below it. cat > mywww.te <<EOF policy_module(mywww, 1.0.0) gen_require(\` type httpd_sys_content_t ') EOF The above creates a file with name mywww.te The first line declares a new policy module of name mywww with version 1.0.0 The second line imports the httpd_sys_content_t type identifier. Type identifiers that are declared outside of this module need to be imported to this module before we can use it The system_u, object_r, and s0 identifiers do not need to be imported because they are core identifiers that are automatically imported when you declare a policy module (the first line) cat > mywww.fc <<EOF /mywww(/.*)? system_u:object_r:httpd_sys_content_t:s0 EOF The above creates a file with name mywww.fc The line in this file specified the file context It associates the security context of system_u:object_r:httpd_sys_content_t:s0 with /mywww and everything below it The (/.*)? is a posix regular expression statement make -f /usr/share/selinux/devel/Makefile mywww.pp The above command creates a mywww.pp file This is a policy package that we can use to load the policy into the system sudo semodule -i mywww.pp The above command loads the policy package into the system. This will be persistent To remove it: sudo semodule -r mywww See man semodule for more details on how to manage policy packages Ce message et les pièces jointes sont confidentiels et réservés à l'usage exclusif de ses destinataires. Il peut également être protégé par le secret professionnel. Si vous recevez ce message par erreur, merci d'en avertir immédiatement l'expéditeur et de le détruire. L'intégrité du message ne pouvant être assurée sur Internet, la responsabilité de Worldline ne pourra être recherchée quant au contenu de ce message. Bien que les meilleurs efforts soient faits pour maintenir cette transmission exempte de tout virus, l'expéditeur ne donne aucune garantie à cet égard et sa responsabilité ne saurait être recherchée pour tout dommage résultant d'un virus transmis. This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, the Worldline liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
