How do you expose a policy interface?

Dominick Grift domg472 at gmail.com
Thu Oct 8 18:40:23 UTC 2009 

On Thu, Oct 08, 2009 at 11:08:01AM -0700, Nathan Kinder wrote:
> On 10/08/2009 10:47 AM, Dominick Grift wrote:
> >On Thu, Oct 08, 2009 at 09:19:21AM -0700, Nathan Kinder wrote:
> >>I'm writing two policy modules for two separate packages
> >>(389-ds-base and 389-admin).  I would like to expose some macros via
> >>an interface from my dirsrv policy for use by the dirsrv-admin
> >>policy.  I have defined an interface in my dirsrv.if file and built
> >>and installed the dirsrv policy module.  Apparently, this doesn't
> >>expose the interface as I get an error when building my dirsrv-admin
> >>policy that indicates that it doesn't know anything about my new
> >>interface.
> >Make sure that both source policies are in the same directory. For example i put all my .te, .if and .fc files in ~/modules
> >Than build the source policy modules: cd ~/modules; make -f /usr/share/selinux/devel/Makefile
> >
> >Finally install them: semodule -i ~/modules/*.pp
> >
> >This works for me.
> The source for these two modules are installed in two different git
> repositories, and I'd prefer to keep them separate and be able to
> build them standalone.
> 
> I've found that I can place my .if file in
> /usr/share/selinux/devel/include/services and it will be located
> when building the second policy module, but I'm guessing it's not
> really proper for me to install it there.
> 
> Is there some sort of include path for interface files that can be
> set at policy module build time?  I'd be fine with having a
> "389-ds-base-selinux-devel" package that installs my interface file
> somewhere which could then be used when building the
> "389-admin-selinux" package.  The questions are where is there a
> standard place install the .if file and is there a way to specify
> the interface include path when building policy?

I think /usr/share/selinux/devel/include/ would be a proper place to put your shared policy.

I would create devel packages that basically copy the interface files there.

> >>What is the proper way to expose a policy interface?  Does my
> >>dirsrv.if file need to be installed on the system somewhere
> >>specific?
> >>
> >>Thanks,
> >>-NGK
> >>
> >>--
> >>fedora-selinux-list mailing list
> >>fedora-selinux-list at redhat.com
> >>https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >>------------------------------------------------------------------------
> >>
> >>--
> >>fedora-selinux-list mailing list
> >>fedora-selinux-list at redhat.com
> >>https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 

> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20091008/f498c870/attachment.bin

More information about the selinux mailing list