RefpolicyBuildModule

From SELinux Wiki
Jump to: navigation, search

Two methods of building modules are supported, headers and complete source. Current systems, such as Fedora Core 5, which support loadable policy modules should compile modules using headers. Using the complete source for building modules is only needed if loadable modules are not supported on the system or if when doing other modifications to the base policy. Genereally this is only suggested for experts.

Building Using Policy Headers

When building a loadable policy module, the three module source files need not be in a specific directory. A development directory in the user's home directory would be sufficient. In this example, lets place it in the policy directory in the home directory. The example Makefile should be copied to this directory. It is usually located in the /usr/share/doc/PKGNAME directory, where PKGNAME is the name of the policy package that has the policy headers.

$ cp /usr/share/doc/refpolicy-20060307/Makefile.example ~/policy/Makefile

Alternatively, this can be copied from the Reference Policy source, from the doc directory. The Makefile is not required, but will simplify the process.

Now the policy directory should have the three module source files and Makefile. All that needs to be done is to run make, and the policy will be compiled.

$ make
Compiling targeted myapp module
/usr/bin/checkmodule:  loading policy configuration from tmp/myapp.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 5) to tmp/myapp.mod
Creating targeted myapp.pp policy package

If you do not have the example Makefile, you must tell make where to find the policy header's Makefile, by using the -f option. The Makefile for the base policy provided by the Linux distribution should be found in the /usr/share/selinux/NAME/include directory, where NAME is the name of the policy, for example, strict or targeted.

$ make -f /usr/share/selinux/targeted/include/Makefile
Compiling targeted myapp module
/usr/bin/checkmodule:  loading policy configuration from tmp/myapp.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 5) to tmp/myapp.mod
Creating targeted myapp.pp policy package

When this succeeds, there will be a myapp.pp policy package that can be inserted into the running policy To load the module, you must be running as root, in a role allowed to run semodule. Then run semodule -i to insert the module into the running policy.

# semodule -i myapp.pp

The semodule command will only have messages if there is an error inserting the module. If it succeeds, semodule -l should list the myapp module, and the version.

# semodule -l
myapp   1.0