How do you expose a policy interface?

On Thu, Oct 08, 2009 at 09:19:21AM -0700, Nathan Kinder wrote:

I'm writing two policy modules for two separate packages
(389-ds-base and 389-admin).  I would like to expose some macros via
an interface from my dirsrv policy for use by the dirsrv-admin
policy.  I have defined an interface in my dirsrv.if file and built
and installed the dirsrv policy module.  Apparently, this doesn't
expose the interface as I get an error when building my dirsrv-admin
policy that indicates that it doesn't know anything about my new
interface.

Make sure that both source policies are in the same directory. For example i put all my .te, .if and .fc files in ~/modules
Than build the source policy modules: cd ~/modules; make -f /usr/share/selinux/devel/Makefile

Finally install them: semodule -i ~/modules/*.pp

This works for me.

What is the proper way to expose a policy interface?  Does my
dirsrv.if file need to be installed on the system somewhere
specific?

Thanks,
-NGK

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@...
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

	How do you expose a policy interface? by Nathan Kinder :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I'm writing two policy modules for two separate packages (389-ds-base and 389-admin). I would like to expose some macros via an interface from my dirsrv policy for use by the dirsrv-admin policy. I have defined an interface in my dirsrv.if file and built and installed the dirsrv policy module. Apparently, this doesn't expose the interface as I get an error when building my dirsrv-admin policy that indicates that it doesn't know anything about my new interface. What is the proper way to expose a policy interface? Does my dirsrv.if file need to be installed on the system somewhere specific? Thanks, -NGK -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list
	Re: How do you expose a policy interface? by Dominick Grift :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Thu, Oct 08, 2009 at 09:19:21AM -0700, Nathan Kinder wrote: > I'm writing two policy modules for two separate packages > (389-ds-base and 389-admin). I would like to expose some macros via > an interface from my dirsrv policy for use by the dirsrv-admin > policy. I have defined an interface in my dirsrv.if file and built > and installed the dirsrv policy module. Apparently, this doesn't > expose the interface as I get an error when building my dirsrv-admin > policy that indicates that it doesn't know anything about my new > interface. Make sure that both source policies are in the same directory. For example i put all my .te, .if and .fc files in ~/modules Than build the source policy modules: cd ~/modules; make -f /usr/share/selinux/devel/Makefile Finally install them: semodule -i ~/modules/.pp This works for me. > > What is the proper way to expose a policy interface? Does my > dirsrv.if file need to be installed on the system somewhere > specific? > > Thanks, > -NGK > > -- > fedora-selinux-list mailing list > fedora-selinux-list@... > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list attachment0* (205 bytes) Download Attachment
	Re: How do you expose a policy interface? by Nathan Kinder :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On 10/08/2009 10:47 AM, Dominick Grift wrote: On Thu, Oct 08, 2009 at 09:19:21AM -0700, Nathan Kinder wrote: I'm writing two policy modules for two separate packages (389-ds-base and 389-admin). I would like to expose some macros via an interface from my dirsrv policy for use by the dirsrv-admin policy. I have defined an interface in my dirsrv.if file and built and installed the dirsrv policy module. Apparently, this doesn't expose the interface as I get an error when building my dirsrv-admin policy that indicates that it doesn't know anything about my new interface. Make sure that both source policies are in the same directory. For example i put all my .te, .if and .fc files in ~/modules Than build the source policy modules: cd ~/modules; make -f /usr/share/selinux/devel/Makefile Finally install them: semodule -i ~/modules/*.pp This works for me. The source for these two modules are installed in two different git repositories, and I'd prefer to keep them separate and be able to build them standalone. I've found that I can place my .if file in /usr/share/selinux/devel/include/services and it will be located when building the second policy module, but I'm guessing it's not really proper for me to install it there. Is there some sort of include path for interface files that can be set at policy module build time? I'd be fine with having a "389-ds-base-selinux-devel" package that installs my interface file somewhere which could then be used when building the "389-admin-selinux" package. The questions are where is there a standard place install the .if file and is there a way to specify the interface include path when building policy? What is the proper way to expose a policy interface? Does my dirsrv.if file need to be installed on the system somewhere specific? Thanks, -NGK -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list
	Re: How do you expose a policy interface? by Dominick Grift :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Thu, Oct 08, 2009 at 11:08:01AM -0700, Nathan Kinder wrote: > On 10/08/2009 10:47 AM, Dominick Grift wrote: > >On Thu, Oct 08, 2009 at 09:19:21AM -0700, Nathan Kinder wrote: > >>I'm writing two policy modules for two separate packages > >>(389-ds-base and 389-admin). I would like to expose some macros via > >>an interface from my dirsrv policy for use by the dirsrv-admin > >>policy. I have defined an interface in my dirsrv.if file and built > >>and installed the dirsrv policy module. Apparently, this doesn't > >>expose the interface as I get an error when building my dirsrv-admin > >>policy that indicates that it doesn't know anything about my new > >>interface. > >Make sure that both source policies are in the same directory. For example i put all my .te, .if and .fc files in ~/modules > >Than build the source policy modules: cd ~/modules; make -f /usr/share/selinux/devel/Makefile > > > >Finally install them: semodule -i ~/modules/.pp > > > >This works for me. > The source for these two modules are installed in two different git > repositories, and I'd prefer to keep them separate and be able to > build them standalone. > > I've found that I can place my .if file in > /usr/share/selinux/devel/include/services and it will be located > when building the second policy module, but I'm guessing it's not > really proper for me to install it there. > > Is there some sort of include path for interface files that can be > set at policy module build time? I'd be fine with having a > "389-ds-base-selinux-devel" package that installs my interface file > somewhere which could then be used when building the > "389-admin-selinux" package. The questions are where is there a > standard place install the .if file and is there a way to specify > the interface include path when building policy? I think /usr/share/selinux/devel/include/ would be a proper place to put your shared policy. I would create devel packages that basically copy the interface files there. > >>What is the proper way to expose a policy interface? Does my > >>dirsrv.if file need to be installed on the system somewhere > >>specific? > >> > >>Thanks, > >>-NGK > >> > >>-- > >>fedora-selinux-list mailing list > >>fedora-selinux-list@... > >>https://www.redhat.com/mailman/listinfo/fedora-selinux-list > >>------------------------------------------------------------------------ > >> > >>-- > >>fedora-selinux-list mailing list > >>fedora-selinux-list@... > >>https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > -- > fedora-selinux-list mailing list > fedora-selinux-list@... > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list attachment0* (205 bytes) Download Attachment

How do you expose a policy interface?

How do you expose a policy interface?

Re: How do you expose a policy interface?

Re: How do you expose a policy interface?

Re: How do you expose a policy interface?