On 12/10/2009 10:54 AM, Stephen Smalley wrote: > On Wed, 2009-12-09 at 21:18 -0500, Hasan Rezaul-CHR010 wrote: >> Hi All, >> >> I used to have the following SELinux related package versions on my >> Linux (2.6.18) system: >> >> checkpolicy - 1.33.1 >> libselinux - 2.0.13 >> libsemanage - 2.0.1 >> libsepol - 2.0.3 >> libsetrans - 0.1.18 >> policycoreutils - 2.0.16 >> >> On that machine, I used to use /usr/share/selinux/devel/policygentool >> to create new custom policy templates, and modified them as necessary, >> and used to run >> >> make -f /usr/share/selinux/devel/Makefile to compile my custom.te >> policies to create custom.pp. >> >> I now have upgraded to Linux 2.6.27 on a non-popular Linux distro, and >> as part of this upgrade, we also migrated to much newer versions of the >> SELinux packages. They are: >> >> checkpolicy-2.0.19 >> libselinux-2.0.85 >> libsemanage-2.0.33 >> libsepol-2.0.37 >> policycoreutils-2.0.69 >> sepolgen-1.0.17 >> >> My questions are : >> >> 1. On this new system, I don't see policygentool anymore ! Infact, I am >> missing the whole /usr/share/selinux/devel/* directory. Can I install >> the selinux-policy-devel package on this machine ? If so, where should >> I get it from ? Is policygentool still supported ? > > policygentool and /usr/share/selinux/devel/ is specific to Fedora and > RHEL - it isn't part of upstream SELinux or reference policy AFAIK. I > think reference policy puts its headers > under /usr/share/selinux/$POLICYTYPE so that you can have multiple sets > of headers. > >> 2. I do see this new package "sepolgen", which I am guessing is the >> newer replacement ? I do see that sepolgen is infact installed on my >> system: > > No, sepolgen is a python module that provides the core logic for > audit2allow. Not related to policygentool at all. > >> root@unknown:/root> rpm -q sepolgen >> sepolgen-1.0.17-1_WR3.0.2as.ppc_e500v2 >> root@unknown:/root> >> root@unknown:/root> which sepolgen >> which: no sepolgen in >> (/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/root/bin) >> root@unknown:/root> >> root@unknown:/root> >> root@unknown:/root> cd /usr/lib/sepolgen/ >> root@unknown:/usr/lib/sepolgen> ls >> perm_map >> root@unknown:/usr/lib/sepolgen> >> >> How do I use this sepolgen thing ? I thought I could run an sepolgen >> executable as follows: "sepolgen -t <program>" >> But I don't see where the sepolgen executable is ??? Do I need to >> install any other packages to use sepolgen ? >> >> 3. Finally, it seems that sepolgen will create a template policy based >> on a particular process, e.g. /usr/bin/ssh >> >> What if I wanted to write more generic policy for restricting selinux >> users. For example: >> >> neverallow user_t etc_t:file write; >> neverallow user_t bin_t:file write; >> neverallow user_t proc_t:file write; >> neverallow staff_t bin_t:file write; >> : >> : >> >> what <program_name> should I supply in the sepolgen command, to >> create a custom policy template for this purpose ? >> >> >> Thanks in advance for all your help :-) >> >> >> >> -- >> This message was distributed to subscribers of the selinux mailing list. >> If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with >> the words "unsubscribe selinux" without quotes as the message. I have added a command line tool sepolgen which uses the polgengui stuff to generate policy. http://danwalsh.livejournal.com/32430.html -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
