Re: Loading a new policy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Jan 12, 2018 at 04:53:36AM -0000, rbs s wrote:
> Hi Lukas,
> 
> I had followed the tutorial [1] earlier. But in that case, on system restart, boot fails with an error:
>  systemd[1] : Failed to initialize SELinux context: No such file or directory".
> 
> Then I had to set the boot parameter selinux=0 to boot it. 
> So next I tried using "make load". And since the config file said SELINUXTYPE can take one of the 3 values listed in it(targeted, minimum, mls), I got confused and didn't change the value. 

The comment in /etc/selinux/config in Fedora is little bit misleading.
It applies only for Fedora provided policies targeted, mls and minimum.
But if you need to use your own policy with a different name, you need
to change SELINUXTYPE, see man selinux_config:

      SELINUXTYPE
              The policy_name entry is used to identify the policy type, and becomes the directory name of where the policy and its configuration files are located.

              The entry can be determined using the sestatus(8) command or selinux_getpolicytype(3).

              The policy_name is relative to a path that is defined within the SELinux subsystem that can be retrieved by using selinux_path(3). An example entry retrieved by selinux_path(3) is:
                     /etc/selinux/

              The policy_name is then appended to this and becomes the 'policy root' location that can be retrieved by selinux_policy_root_path(3). An example entry retrieved is:
                     /etc/selinux/targeted

              The actual binary policy is located relative to this directory and also has a policy name pre-allocated. This information can be retrieved using selinux_binary_policy_path(3). An example entry retrieved by selinux_binary_policy_path(3) is:
                     /etc/selinux/targeted/policy/policy

              The  binary policy name has by convention the SELinux policy version that it supports appended to it. The maximum policy version supported by the kernel can be determined using the sestatus(8) command or security_policyvers(3). An example binary policy file with
              the version is:
                     /etc/selinux/targeted/policy/policy.24


If you want to use refpolicy which is stored in /etc/selinux/refpolicy
you need to set

SELINUXTYPE=refpolicy

Petr

Attachment: signature.asc
Description: PGP signature

_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux