Does anyone have tips on how to write portable policy?
For example, this policy:
gen_tunable(local_custom_gssd_t_permissive, false)
gen_require(`
type gssd_t;
type kernel_t;
type tmp_t;
class capability2 block_suspend;
class file unlink;
class key { read view setattr write };
')
tunable_policy(`local_custom_gssd_t_permissive',`
allow gssd_t kernel_t:key { read view setattr write };
allow gssd_t tmp_t:file unlink;
allow gssd_t self:capability2 block_suspend;
')
…will build on any of (RHEL5, RHEL6, RHEL7), but if you attempt to
load this policy on anything but RHEL7, it will fail with this error:
libsepol.permission_copy_callback: Module local depends on
permission block_suspend in class capability2, not satisfied (No such
file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such
file or directory).
/usr/sbin/semodule: Failed!
A fair amount of the policy we write applies to all of our systems, so
if we have to resort to maintaining separate policy for each of
(RHEL5, RHEL6, RHEL7), there's going to be duplication, and we'd
prefer to avoid that.
Are there any feature-test m4 macros that would ease writing
cross-distro policy?
What techniques do others use to avoid unnecessary duplication of
policy when you need to maintain similar policy on different distros?
Thanks in advance for any tips.
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
