On Wed, 2007-11-14 at 13:57 -0500, Daniel J Walsh wrote: > Christopher J. PeBenito wrote: > > On Fri, 2007-11-09 at 14:47 -0500, Daniel J Walsh wrote: > >> Christopher J. PeBenito wrote: > >>> On Fri, 2007-11-09 at 11:25 -0500, Stephen Smalley wrote: > >>>> On Fri, 2007-11-02 at 15:58 -0400, Daniel J Walsh wrote: > >>>>> Also added translations of booleans to command line. > >>>>> > >>>>>> /usr/sbin/semanage boolean -l | grep nfs_export > >>>>>> nfs_export_all_rw -> off Allow nfs to be exported read/write. > >>>>>> nfs_export_all_ro -> on Allow nfs to be exported read only > >>>>>> sh-3.2# /usr/sbin/semanage boolean -l | grep nfs > >>>>>> xen_use_nfs -> off Allow xen to manage nfs files > >>> [...] > >>>>>> nfs_export_all_ro -> on Allow nfs to be exported read only > >>>>> This time with the patch. :^) > >>>> Offhand, the only problem I see it that semanage boolean -l then fails > >>>> if /usr/share/selinux/devel/policy.xml doesn't exist, rather than just > >>>> falling back to displaying the untranslated booleans. > >>>> > >>>> Also, is /usr/share/selinux/devel/policy.xml created by upstream > >>>> refpolicy or is it Fedora-specific? > >>> The infrastructure for building a policy.xml from the headers is > >>> installed by upstream, but the policy.xml from refpolicy is not > >>> installed. This allows 3rd parties to add their headers and then a > >>> policy.xml can be built to include their module. Installing a > >>> policy.xml there is a fedora-specific thing. > >>> > >> If I want to rebuild it after an interface file gets installed or want > >> to add my own xml to it, what do I need to do? > > > > The 'xml' target from the headers makefile will build one. It uses the > > xml in header if files, plus global_(booleans|tunables).xml which are > > pre generated from the global_(booleans|tunables) in the source policy. > > > I am not sure how you intend this to work. > > Currently we ship policy.xml and the xml files for each *if file. We do > not ship the xml files for each directory admin.xml, apps.xdl, services.xml > > I would have thought the third party would ship there own xml and if > file say myapp.if and myapp.xml. Install them in > /usr/share/selinux/devel/include/services. Sorry, yes it uses the xml for each module, since it includes any booleans/tunables that are declared in the te file, which isn't installed in the headers. So a 3rd party putting their .xml for their module in there should get included. > Then they would execute make -f /usr/share/selinux/devel/Makefile xml > > And it would rebuild the policy.xml including their changes. > > Is this what you are thinking? Something like that. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
