On Tue, 2006-09-19 at 10:20 +0800, Benjamin Tsai wrote:
I want to write policy for my own daemon, instead of a strict
policy.
So, I stepped on the wrong road from the beginning?
Though, according to the document "Configuring the SELinux Policy", it
indicates a path to policy source.
That's because it was written before modular policy support existed.
Useful links:
Fedora Core 5 SELinux FAQ
http://fedora.redhat.com/docs/selinux-faq-fc5/
Fedora SELinux Wiki
http://fedoraproject.org/wiki/SELinux/
Dan and Joshua, it looks like the links to various Tresys site pages are no longer valid.
Well then, what's a correct build path? Are the following steps
correct?
write foo.te file, and execute
#checkmodule -M -m foo.te -o foo.mod
Then
#semodule -i foo.mod
semodule acts on a policy module package rather than just a module,
which you can create via:
semodule_package -o foo.pp -m foo.mod
If you have file contexts as well, you can bundle them within the
package, as in:
semodule_package -o foo.pp -m foo.mod -f foo.fc
But this can all be handled more easily via the sequence described in:
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961577
Besides, is it then impossible to customize my own base policy
package?
Or I shall start over and write my own base module word by word?
It isn't impossible, but in many cases, it is no longer necessary - you
can define your own policy modules and add them, or you can use semanage
to customize other local settings, while still being able to just use
the Fedora-provided base policy and any updates to it.
You can certainly replace the entire policy and just use the refpolicy
from
oss.tresys.com, but if you don't need to do so, then it is just
making more work for yourself.
--
Stephen Smalley
National Security Agency