Hello everyone,
I maintain an RPM that installs .te and .fc files. In the past, contributing to the system's SELinux policy could be done by installing files in /etc/security/selinux/src/policy (I'm not sure this is right to begin with):
%policy %{_sysconfdir}/security/selinux/src/policy/macros/ pam_mount_macros.te
%policy %{_sysconfdir}/security/selinux/src/policy/file_contexts/misc/ pam_mount.fc
However, now policies may be in /etc/selinux/strict/src/policy/ or / etc/selinux/targeted/src/policy/. It is also possible that only one of these directories exists.
What is the proper procedure for an RPM to contribute to the system's SELinux policy? My RPM introduces new contexts and provides new allow statements. The Fedora Core 2 SELinux FAQ does not seem to address these questions, though it does allude to SELinux-related RPM hooks.
-- Mike
On Wed, 16 Jun 2004 10:56, "W. Michael Petullo" mike@flyn.org wrote:
I maintain an RPM that installs .te and .fc files. In the past, contributing to the system's SELinux policy could be done by installing files in /etc/security/selinux/src/policy (I'm not sure this is right to begin with):
%policy %{_sysconfdir}/security/selinux/src/policy/macros/ pam_mount_macros.te
However, now policies may be in /etc/selinux/strict/src/policy/ or / etc/selinux/targeted/src/policy/. It is also possible that only one of these directories exists.
I don't think that your macros file fits in with the targetted policy, and I think that the general aims of the targetted policy don't involve that sort of thing (but this hasn't been considered much so far).
It's probably best to install the files under only the strict directory.
It is also possible that only one of those directories exists.
selinux@lists.fedoraproject.org