Building a modified selinux source rpm

Stephen Smalley sds at tycho.nsa.gov
Fri Apr 23 12:33:13 UTC 2010 

On Fri, 2010-04-23 at 07:15 -0400, Alan Rouse wrote:
> I'm trying to get selinux working in a different linux distribution
> where the directory structure differs from the fedora / redhat
> pattern.  I'm attempting to use the fedora selinux src rpm as a
> starting point, but of course lots of files are being labelled
> incorrectly due to the directory differences.  I can identify the
> incorrectly labelled files and I know how to get them labelled
> correctly.  But I need to be able to make a new source rpm based on
> the fedora selinux src rpm, including the necessary changes, so I can
> distribute and maintain the policy over time.  
> 
> I can execute "rpmbuild -bp  SPECS/selinux-policy.spec" to generate
> the fedora patched policy source in the BUILD directory.  Then I can
> make my changes there.  But I need to be able to regenerate the src
> rpm including those changes.  And I need to be able to maintain this
> over time as the reference policy evolves, by dropping in a new
> reference policy tgz and regenerating the patch files.   Surely
> there's a better way than "vi policy-F12.patch"!
> 
> I presume there are tools / scripts / instructions to help with this.
> Can someone point me in the right direction?

Typically you'd make a copy of the serefpolicy-x.y.z directory under the
BUILD directory, modify that copy, generate a diff, and add that to
the .spec file as a further patch on top of the existing ones (not as a
replacement for them).  Then use rpmbuild to regenerate the .src.rpm
with your modifications.

A quick google search found this:
http://bradthemad.org/tech/notes/patching_rpms.php

But fundamentally it isn't any different than creating a src rpm in the
first place.

Ideally you'd upstream your changes to the refpolicy, although you may
need to regenerate your patches relative to it then.

You can wrap your entries with an ifdef(`distro_xxx', `...') and build
with DISTRO=xxx to enable them so that they are only applied for that
distro.

-- 
Stephen Smalley
National Security Agency

More information about the selinux mailing list