Gentoo Linux Handbook Page --

1.a. Introduction

This guide discusses how to set up a policy module for local additions of rules to the policy.

1.b. Preparation

Copy the example Makefile from the selinux-base-policy doc directory to the directory that will be used for building the policy. It is suggested that /root be used. The places that the semodule tool can read policy modules includes sysadm home directories.

Code Listing 1:

# zcat /usr/share/doc/selinux-base-policy-20061008/Makefile.example.gz > /root/Makefile

1.c. Write a TE file

In a policy module, most policy statements are usable in modules. There are a few extra statements that must be added for proper operation.

Code Listing 2: Example local.te

policy_module(local,1.0)

require {
	type sysadm_su_t, newrole_t;
}
allow sysadm_su_t newrole_t:process sigchld;

In addition to the basic allow rule, it has a couple statements required by policy modules. The first is a policy_module() macro that has the name of the module, and the module's version. It also has a require block. This block specifies all types that are required for this module to function. All types used in the module must either be declared in the module or required by this module.

1.d. Write a FC File (optional)

The file contexts file is optional and has the same syntax as as always.

Code Listing 3: Example local.fc

/opt/myprogs/mybin	--	system_u:object_r:bin_t

Types used in the file context file should be required or declared in the TE file.

1.e. Compile Policy Modules

Simply run make to build all modules in the directory. The module will be compiled for the current policy as specified by /etc/selinux/config.

Code Listing 4:

# make
Compiling strict local module
/usr/bin/checkmodule:  loading policy configuration from tmp/local.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 6) to tmp/local.mod
Creating strict local.pp policy package

To build the module for a policy other than the configured policy, use the NAME= option.

Code Listing 5:

# make NAME=targeted
Compiling targeted local module
/usr/bin/checkmodule:  loading policy configuration from tmp/local.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 6) to tmp/local.mod
Creating targeted local.pp policy package

1.f. Load the Modules

The modules can be loaded into the currently configured policy simply by using the load target of the Makefile.

Code Listing 6:

# make load

The load target also respects the NAME= option. Alternatively, the semodule command can be used to load individual modules.

Code Listing 7:

# semodule -i local.pp

1.g. Building Reference Policy Modules

The new Gentoo policy is based on the SELinux Reference Policy. For more information on building a complete Reference Policy module, see the Reference Policy Wiki.