-
Notifications
You must be signed in to change notification settings - Fork 146
SELinux Policy Development
Stefan Berger edited this page Oct 1, 2018
·
8 revisions
For the SELinux policy development the following command lines have been useful:
# Disable the don't audit statements in the policy to see everything that fails
> semodule --disable_dontaudit --build
# Have audit2allow create a policy with all the rules that fail; then fish out the
# rules that are relevant for swtpm, which are those related to svirt_t and svirt_tcg_t
> audit2allow -i /var/log/audit/audit.log -l -M mypolicy
# move swtpm related rules from mypolicy.te into src/selinux/swtpm_svirt.te
> gedit mypolicy.te src/selinux/swtpm_svirt.te
# build the SELinux policy packages
> make -j4
# Remove the old swtpm SELinux policy packages
> sudo semodule --remove swtpm_svirt swtpm
# Load the new swtpm SELinux policy packages
> sudo semodule --install src/selinux/swtpm.pp.bz2 src/selinux/swtpm_svirt.pp.bz2