One more question... Lets say I used audit2allow to create a custom policy as follows: cat deny.log | audit2allow -M test -- this will create test.te, and test.pp for me If I wanted to make additional modifications to test.te, how can I compile this new test.te to come up with the new test.pp ?? Note: I don't seem to have the /usr/share/selinux/devel/Makefile file present on my setup !?! Is there some alternative way to compile the *.te files ?? Thanks. -----Original Message----- From: owner-selinux@xxxxxxxxxxxxx [mailto:owner-selinux@xxxxxxxxxxxxx] On Behalf Of Hasan Rezaul-CHR010 Sent: Wednesday, December 09, 2009 8:18 PM To: Daniel J Walsh Cc: selinux@xxxxxxxxxxxxx Subject: How to use sepolgen VS. policygentool Hi All, I used to have the following SELinux related package versions on my Linux (2.6.18) system: checkpolicy - 1.33.1 libselinux - 2.0.13 libsemanage - 2.0.1 libsepol - 2.0.3 libsetrans - 0.1.18 policycoreutils - 2.0.16 On that machine, I used to use /usr/share/selinux/devel/policygentool to create new custom policy templates, and modified them as necessary, and used to run make -f /usr/share/selinux/devel/Makefile to compile my custom.te policies to create custom.pp. I now have upgraded to Linux 2.6.27 on a non-popular Linux distro, and as part of this upgrade, we also migrated to much newer versions of the SELinux packages. They are: checkpolicy-2.0.19 libselinux-2.0.85 libsemanage-2.0.33 libsepol-2.0.37 policycoreutils-2.0.69 sepolgen-1.0.17 My questions are : 1. On this new system, I don't see policygentool anymore ! Infact, I am missing the whole /usr/share/selinux/devel/* directory. Can I install the selinux-policy-devel package on this machine ? If so, where should I get it from ? Is policygentool still supported ? 2. I do see this new package "sepolgen", which I am guessing is the newer replacement ? I do see that sepolgen is infact installed on my system: root@unknown:/root> rpm -q sepolgen sepolgen-1.0.17-1_WR3.0.2as.ppc_e500v2 root@unknown:/root> root@unknown:/root> which sepolgen which: no sepolgen in (/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/root/bin) root@unknown:/root> root@unknown:/root> root@unknown:/root> cd /usr/lib/sepolgen/ root@unknown:/usr/lib/sepolgen> ls perm_map root@unknown:/usr/lib/sepolgen> How do I use this sepolgen thing ? I thought I could run an sepolgen executable as follows: "sepolgen -t <program>" But I don't see where the sepolgen executable is ??? Do I need to install any other packages to use sepolgen ? 3. Finally, it seems that sepolgen will create a template policy based on a particular process, e.g. /usr/bin/ssh What if I wanted to write more generic policy for restricting selinux users. For example: neverallow user_t etc_t:file write; neverallow user_t bin_t:file write; neverallow user_t proc_t:file write; neverallow staff_t bin_t:file write; : : what <program_name> should I supply in the sepolgen command, to create a custom policy template for this purpose ? Thanks in advance for all your help :-) -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
