On 07/31/2015 10:26 PM, Dan wrote: > Yeah I'm just looking to build selinux policies to confine applications, > etc, with the cil language and nothing else, so when you say the policy > store is that the /var/lib/selinux/targeted/active/modules/400 directory? > > On 07/31/2015 10:13 AM, James Carter wrote: >> On 07/31/2015 12:56 AM, Dan wrote: >>> Hello everyone, >>> >>> I have been reading up on the cil documentation and am starting >>> to get the >>> hang of it and have successfully built my first module. I have a a >>> module called >>> test.cil. Now my only question on is where exactly would I put this >>> module to >>> build it or does it not matter where you stick them at? I know when >>> you take the >>> .pp packages and convert them to .cil they get stored in >>> /var/lib/selinux/targeted/active/modules/400, but I'm just using the >>> secilc >>> compiler and nothing else to build policy. /var/lib/selinux is a default location for your module store. It can be changed in semanage.conf. Basically if you want to add a local policy module, just use # semodule -i mypol.cil This module will be loaded with the default priority for custom policies. # semodule --list-module=full |grep mypol 400 mypol cil >>> >> >> If you are using the CIL compiler to build the whole policy, then it >> doesn't matter where the files are located. Just specify all of the >> files that are part of the policy on the command line for secilc. >> >> Do note that the CIL compiler does not build modules, it builds the >> complete policy, so if you are only building a module than it should >> go into the policy store. You should also use the policy store if you >> want to use the management functions of semanage. >> > > _______________________________________________ > Selinux mailing list > Selinux@xxxxxxxxxxxxx > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > To get help, send an email containing "help" to > Selinux-request@xxxxxxxxxxxxx. -- Miroslav Grepl Senior Software Engineer, SELinux Solutions Red Hat, Inc. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
