Difference between revisions of "Adding New Permissions"
From SELinux Wiki
JamesMorris (Talk | contribs) (Added page on adding new permissions) |
JamesMorris (Talk | contribs) |
||
Line 1: | Line 1: | ||
(from [linkhttp://marc.info/?l=selinux&m=120491447421303&w=2 this mailing list post]) | (from [linkhttp://marc.info/?l=selinux&m=120491447421303&w=2 this mailing list post]) | ||
+ | <pre> | ||
To add a new permission to SELinux: | To add a new permission to SELinux: | ||
1) checkout a copy of the refpolicy from oss.tresys.com | 1) checkout a copy of the refpolicy from oss.tresys.com | ||
Line 16: | Line 17: | ||
akpm's system if he boots a new kernel on an existing distro that lacks | akpm's system if he boots a new kernel on an existing distro that lacks | ||
new policy. | new policy. | ||
+ | |||
+ | </pre> |
Revision as of 21:41, 9 March 2008
(from [linkhttp://marc.info/?l=selinux&m=120491447421303&w=2 this mailing list post])
To add a new permission to SELinux: 1) checkout a copy of the refpolicy from oss.tresys.com 2) cd refpolicy/policy/flask/ 3) edit access_vectors and add your definition 4) run make 5) run make LINUX_D=/path/to/linux-2.6 tokern to push the kernel headers to your kernel tree 6) run make LIBSELINUX_D=/path/to/libselinux tolib to push the libselinux headers to your libselinux tree. Then you can generate patches against policy, kernel, and libselinux. There is also the backward compatibility issue - we must not break akpm's system if he boots a new kernel on an existing distro that lacks new policy.