On Wed, 2010-05-19 at 07:18 -0700, Justin P. Mattock wrote: > On 05/19/2010 06:34 AM, Stephen Smalley wrote: > > On Wed, 2010-05-19 at 06:21 -0700, Justin P. Mattock wrote: > >> On 05/19/2010 03:04 AM, Shaz wrote: > >>>> It's very true that both SELInux policy and policy store are > >>>> arch-independent. It takes about 70 minutes to build the policy store from > >>>> scratch on my embedded target, but I could copy and use the host policy > >>>> store on the target, only that it will take 20 minutes each time to change > >>>> SELinux attribute on the fly by the semanage tool, so I think I'd better > >>>> save all the trouble by committing the changes to SELInux source code on the > >>>> host instead. > >>> > >>> Sounds interesting. Let me try it too. > >>> > >> > >> > >> yep.. I built a policy on x86_64 > >> then copied it to all my other machines(i586) > >> (no problem), but things like libselinux > >> will probably be a different story. > > > > Well, yes, because libselinux is executable code. policy is just data. > > > > > hmm.. I'm wondering if something could be modified > with monolithic policies and the whole policy > version thing i.g. build.conf: > > # Policy version > # By default, checkpolicy will create the highest > # version policy it supports. Setting this will > # override the version. This only has an > # effect for monolithic policies. > #OUTPUT_POLICY = 18 I'm not sure what you're asking, but I did mention setting OUTPUT_POLICY in build.conf or policy-version in semanage.conf to force generation of an older version of policy when building on a host that supports a newer policy version than the target system. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
