On 05/18/2018 10:37 AM, Gionatan Danti wrote: > On 18/05/2018 14:56, Stephen Smalley wrote: >> As to your first point, yes, presently you have to separately keep your source .te/.fc files around to make future changes in that form. With a modern selinux userspace however you can extract the CIL version of the policy module via semodule -c -E, edit that, and then re-insert it. > > Does RHEL 7.5+ qualifies as "modern selinux userspace"? Seems to work for me even on 7.4 (and perhaps as early as 7.3), semodule -cE <name-of-module> vi <name-of-module>.cil >> With respect to the second point, yes, the name of each policy module has to be unique, so you do have to be mindful of that. The distros should likely should define some policy module namespacing rules for local policy modules so that you can at least know that you never need to worry about conflicts with distro-provided or third party package policy. And perhaps audit2allow should automatically use such a prefix. > > Can you point me to any documentation regarding distro-specific policy roule naming? I don't know if there is presently any such guidance or conventions yet. I think Fedora has been working on some policy packaging guidance, but I don't know if they specified a naming convention. > > Thanks you for your very valuable informations! _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx/message/PKENGPOVVFEC34GZYPML7G6X6XGMKQHZ/
