Dne 5.6.2015 v 15:20 Marko Rauhamaa napsal(a):
> Simon Sekidde <ssekidde@xxxxxxxxxx>:
>
>>> I am a developer creating a new type of service. Let's call it
>>> "abcd." Am I expected to have my RPM package create a new type
>>> "abcd_exec_t"?
>>
>> This would have to be defined in the type enforcing (.te) file for
>> "abcd"
>
> I take it the answer to my question is, Yes. Thank you.
>
> Now, I suppose the process is to create abcd.te in my source code. I
> then compile the .te file as follows:
>
> checkmodule -M -m -o abcd.mod abcd.te
> semodule_package -o abcd.pp -m abcd.mod
>
You can use Makefile from selinux-policy-devel package:
$ make -f /usr/share/selinux/devel/Makefile abcd.pp
I'd suggest to use 'sepolicy generate ' to generate an initial template
which you can adjust for your needs. It will generate SELinux files, a
spec file and a script which helps with deploying:
$ sepolicy generate --application /usr/bin/abcde -n abcde
***************************************
Warning /usr/bin/abcde does not exist
***************************************
Created the following files:
/home/plautrba/policy/abcde.te # Type Enforcement file
/home/plautrba/policy/abcde.if # Interface file
/home/plautrba/policy/abcde.fc # File Contexts file
/home/plautrba/policy/abcde_selinux.spec # Spec file
/home/plautrba/policy/abcde.sh # Setup Script
> I include abcd.pp in my RPM package and have its postinstall section
> execute:
>
> semodule -i abcd.pp
>
> Right?
That's right. Note that a module file should be located in
/usr/share/selinux/packages
This is spec file code generated by 'sepolicy generate'
%post
semodule -n -i %{_datadir}/selinux/packages/abcde.pp
if /usr/sbin/selinuxenabled ; then
/usr/sbin/load_policy
%relabel_files
fi;
exit 0
Petr
--
Petr Lautrbach
Attachment:
signature.asc
Description: OpenPGP digital signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
