On Jan 20, 2009, at 8:26 AM, Stephen Smalley wrote:
On Mon, 2009-01-19 at 15:53 -0500, Jacques Thomas wrote:
Stephen Smalley wrote:
On Fri, 2009-01-16 at 20:23 +0100, Dominick Grift wrote:
On Fri, 2009-01-16 at 14:03 -0500, Stephen Smalley wrote:
You need to first obtain a policy source tree as your starting
point.
If you want to minimize your divergence from the distro-shipped
policy,
then download the selinux-policy source RPM (.src.rpm) for your
distro,
expand it, and then customize as desired and rebuild it (Dan -
is there
a recipe documented somewhere for doing that?).
I have created a screen cast that focuses on just that. However,
the
file is 200MB and i do not have the ability to host it.
I just meant writing down the sequence of commands to set up a
buildable
policy source tree from the .src.rpm. Screencast seems a bit
overkill
for that - it really ought to just be part of the Fedora SELinux
FAQ or
Guide IMHO.
Here's what works for me to tweak the policy on a Fedora 8 system.
Make sure you have the latest policy package (otherwise, you might
not
be able to get it in source version):
yum update
yum install selinux-policy-targeted
Figure out the version of the rpm:
rpm -qa | grep selinux-policy-targeted
Get the corresponding source rpm:
yumdownloader --source `rpm -qa | grep policy-targeted`
Voila! The source rpm is in your current directory.
From there on, regular instructions for rebuilding rpms apply. The
following is a short tutorial.
http://www.hacktux.com/fedora/source/rpm
I think we need something more specific to the policy, similar to the
instructions for building a custom kernel at
http://fedoraproject.org/wiki/Docs/CustomKernel
Getting a buildable policy tree that matches the Fedora shipped policy
configuration isn't as straightforward as one might like, since the
spec
file defers most of the real work to the %install target and specifies
different build.conf settings (via command-line override to make) and
different modules.conf configurations based on the particular policy
type. The question does seem to keep arising on fedora-selinux-list
and
selinux list, so it would be helpful to have it documented somewhere.
I'm sure Dan has better mojo, but I:
- install the src rpm
- add patches to SOURCE directory
- patch spec file to incorporate patches in SOURCE
- build policy rpms using patched spec file
joe
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
