Sorry, in the first post I meant to say that I wanted to install the
policycoreutils<version>.rpm (the devil really is in the details.)
--the reason for needing this rpm is that I am hoping to be able to
install a custom policy and file-labelling without installing the
source configuration files. This is just so that even a root user
could be kept from editing my policy.conf files. I need the coreutils
b/c if the source config files are not going to be present then
neither is the Makefile, so I would need to use "fixfiles relabel" and
"load_policy".
Unless, there is a better way to load and relabel when not installing
the config source files.
I am hoping to have this installation be performed by someone else
somewhere else, and to make the installation as mindless as possible
for them.
Thanks,
-Dan
On 6/15/05, Stephen Smalley <sds(a)tycho.nsa.gov> wrote:
On Wed, 2005-06-15 at 14:27 -0400, Security News wrote:
> Anyone have any thoughts on the best way to install my own policy
> files on a few machines.
>
> I have to go out and find a way to install a policy file, install my
> own file_context files, and then compile and load the new custom
> policy and fc files.
>
> These systems would be running standard FC3 with the targetted policy,
> but without the targetted sources.
>
> I would like to set them all up so that they then have my own version
> of the strict policy, without having the source files installed.
>
> Is rpm the best way to attack this or are there better options out
> there? As I see it I would have to include the
> policy-strict-<version>.rpm as well as setools-<version>.rpm within my
> own rpm file in order to load everything necessary to load the policy
> and relabel the filesystem.
setools isn't needed for SELinux operation; they are purely optional
tools for policy analysis and management.
It sounds like you want to perform a wholesale replacement of the policy
on these systems. That should be feasible without requiring policy
sources on the end systems (in the future, it will be possible to also
distribute binary policy modules that can be linked into the base policy
on the end systems without requiring sources on the end systems, but
that support won't be available until FC5).
I'm not sure why you need anything other than a selinux-policy-strict
package (which contains the binary policy file, the file_contexts
configuration, and other policy-related config files) with a modified
post scriptlet in the spec file to perform the conversion (e.g. switch
to permissive mode, change /etc/selinux/config, load new policy, relabel
filesystems, reboot). Naturally, the devil is in the details; you'll
want to try it on a non-production system first.
--
Stephen Smalley
National Security Agency