selinux local policy from F10 to F11?
Stephen Smalley
sds at tycho.nsa.gov
Thu Jun 18 12:32:10 UTC 2009
On Wed, 2009-06-17 at 22:37 +0100, mike cloaked wrote:
> If you have generated local selinux policy using semanage fcontext for
> specific files or directories in F10, is there now a recommended way
> to automate retrieval of these and then create the same rule set for
> F11 after a clean F11 install?
>
> I know that you can do
> # semanage fcontext -C -l and send the output to a file.
> This will generate lines such as
> SELinux fcontext type Context
>
> /home/mike/.cxoffice(/.*)? all files
> system_u:object_r:textrel_shlib_t:s0
> /home/mike/.cxoffice/dotwine/drive_c/Windows/System/SHLWAPI.DLL all
> files system_u:object_r:textrel_shlib_t:s0
> /home/mike/.cxoffice/dotwine/drive_c/Windows/System/ole32.dll all
> files system_u:object_r:textrel_shlib_t:s0
> /home/mike/.wine(/.*)? all files
> system_u:object_r:textrel_shlib_t:s0
>
> However I guess that saving this will still not allow these rules to
> be written back to the new system in an automated way unless a script
> is written to parse the lines and create a set of new selinux fcontext
> lines that will create each local
> rule with something like:
> semanage fcontext -a -t textrel_shlib_t /home/mike/.cxoffice(/.*)?
> with one for each original line in the output generated from the old
> system before it was replaced?
>
> If there is a cleaner way to achieve this I would like to hear about it?
That's come up before, but no one has implemented --export and --import
options as far as I know.
So I think the only way to do it presently is to manually copy
the /etc/selinux/targeted/modules/active/file_contexts.local file from
the F10 system to the F11 system, and then run semodule -B on the F11
system to force a policy store rebuild. Afterward, you should find it
installed in /etc/selinux/targeted/contexts/files/file_contexts.local on
the F11 system.
--
Stephen Smalley
National Security Agency
More information about the selinux
mailing list