On Mon, 2009-01-19 at 15:53 -0500, Jacques Thomas wrote: > Stephen Smalley wrote: > > On Fri, 2009-01-16 at 20:23 +0100, Dominick Grift wrote: > > > >> On Fri, 2009-01-16 at 14:03 -0500, Stephen Smalley wrote: > >> > >> > >>> You need to first obtain a policy source tree as your starting point. > >>> If you want to minimize your divergence from the distro-shipped policy, > >>> then download the selinux-policy source RPM (.src.rpm) for your distro, > >>> expand it, and then customize as desired and rebuild it (Dan - is there > >>> a recipe documented somewhere for doing that?). > >>> > >> I have created a screen cast that focuses on just that. However, the > >> file is 200MB and i do not have the ability to host it. > >> > > > > I just meant writing down the sequence of commands to set up a buildable > > policy source tree from the .src.rpm. Screencast seems a bit overkill > > for that - it really ought to just be part of the Fedora SELinux FAQ or > > Guide IMHO. > > > > > > Here's what works for me to tweak the policy on a Fedora 8 system. > > Make sure you have the latest policy package (otherwise, you might not > be able to get it in source version): > yum update > yum install selinux-policy-targeted > > Figure out the version of the rpm: > rpm -qa | grep selinux-policy-targeted > > Get the corresponding source rpm: > yumdownloader --source `rpm -qa | grep policy-targeted` > > Voila! The source rpm is in your current directory. > > From there on, regular instructions for rebuilding rpms apply. The > following is a short tutorial. > http://www.hacktux.com/fedora/source/rpm I think we need something more specific to the policy, similar to the instructions for building a custom kernel at http://fedoraproject.org/wiki/Docs/CustomKernel Getting a buildable policy tree that matches the Fedora shipped policy configuration isn't as straightforward as one might like, since the spec file defers most of the real work to the %install target and specifies different build.conf settings (via command-line override to make) and different modules.conf configurations based on the particular policy type. The question does seem to keep arising on fedora-selinux-list and selinux list, so it would be helpful to have it documented somewhere. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
