On Thu, 2013-12-05 at 17:12 +0100, Vidalie Hervé wrote:
Hello,
Thank you for your answers.
I have two remaining questions: -I would like to create a policy package file to define add this file context mappings. How to add mapping rules and rules for automatically labeling created files? -Where can I find the source of the policy I use ? (selinux-policy-targeted-3.7.19-195.el6_4.18.noarch)
I will give you an example
For example lets say i want to create a policy package that associates system_u:object_r:httpd_sys_content_t:s0 with /mywww and everything below it.
cat > mywww.te <<EOF policy_module(mywww, 1.0.0) gen_require(` type httpd_sys_content_t ') EOF
The above creates a file with name mywww.te The first line declares a new policy module of name mywww with version 1.0.0 The second line imports the httpd_sys_content_t type identifier. Type identifiers that are declared outside of this module need to be imported to this module before we can use it
The system_u, object_r, and s0 identifiers do not need to be imported because they are core identifiers that are automatically imported when you declare a policy module (the first line)
cat > mywww.fc <<EOF /mywww(/.*)? system_u:object_r:httpd_sys_content_t:s0 EOF
The above creates a file with name mywww.fc The line in this file specified the file context It associates the security context of system_u:object_r:httpd_sys_content_t:s0 with /mywww and everything below it The (/.*)? is a posix regular expression statement
make -f /usr/share/selinux/devel/Makefile mywww.pp
The above command creates a mywww.pp file This is a policy package that we can use to load the policy into the system
sudo semodule -i mywww.pp
The above command loads the policy package into the system. This will be persistent
To remove it:
sudo semodule -r mywww
See man semodule for more details on how to manage policy packages