Difference between revisions of "Adding New Permissions"

From SELinux Wiki
Jump to: navigation, search
(Added page on adding new permissions)
 
Line 1: Line 1:
 
(from [linkhttp://marc.info/?l=selinux&m=120491447421303&w=2 this mailing list post])
 
(from [linkhttp://marc.info/?l=selinux&m=120491447421303&w=2 this mailing list post])
  
 +
<pre>
 
To add a new permission to SELinux:
 
To add a new permission to SELinux:
 
1) checkout a copy of the refpolicy from oss.tresys.com
 
1) checkout a copy of the refpolicy from oss.tresys.com
Line 16: Line 17:
 
akpm's system if he boots a new kernel on an existing distro that lacks
 
akpm's system if he boots a new kernel on an existing distro that lacks
 
new policy.
 
new policy.
 +
 +
</pre>

Revision as of 21:41, 9 March 2008

(from [linkhttp://marc.info/?l=selinux&m=120491447421303&w=2 this mailing list post])

To add a new permission to SELinux:
1) checkout a copy of the refpolicy from oss.tresys.com
2) cd refpolicy/policy/flask/
3) edit access_vectors and add your definition
4) run make
5) run make LINUX_D=/path/to/linux-2.6 tokern to push the kernel headers
to your kernel tree
6) run make LIBSELINUX_D=/path/to/libselinux tolib to push the
libselinux headers to your libselinux tree.

Then you can generate patches against policy, kernel, and libselinux.

There is also the backward compatibility issue - we must not break
akpm's system if he boots a new kernel on an existing distro that lacks
new policy.