From owner-p4-projects@FreeBSD.ORG  Thu Jul  6 07:43:29 2006
Return-Path: <owner-p4-projects@FreeBSD.ORG>
X-Original-To: p4-projects@freebsd.org
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 27FD716A4E0; Thu,  6 Jul 2006 07:43:29 +0000 (UTC)
X-Original-To: perforce@FreeBSD.org
Delivered-To: perforce@FreeBSD.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 037D616A4DD
	for <perforce@FreeBSD.org>; Thu,  6 Jul 2006 07:43:29 +0000 (UTC)
	(envelope-from dongmei@FreeBSD.org)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B11D243D4C
	for <perforce@FreeBSD.org>; Thu,  6 Jul 2006 07:43:28 +0000 (GMT)
	(envelope-from dongmei@FreeBSD.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id k667hSH8041099
	for <perforce@FreeBSD.org>; Thu, 6 Jul 2006 07:43:28 GMT
	(envelope-from dongmei@FreeBSD.org)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.13.6/8.13.4/Submit) id k667hRew041096
	for perforce@freebsd.org; Thu, 6 Jul 2006 07:43:27 GMT
	(envelope-from dongmei@FreeBSD.org)
Date: Thu, 6 Jul 2006 07:43:27 GMT
Message-Id: <200607060743.k667hRew041096@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	dongmei@FreeBSD.org using -f
From: dongmei <dongmei@FreeBSD.org>
To: Perforce Change Reviews <perforce@FreeBSD.org>
Cc: 
Subject: PERFORCE change 100699 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jul 2006 07:43:29 -0000

http://perforce.freebsd.org/chv.cgi?CH=100699

Change 100699 by dongmei@soc-dongmei-sebsd on 2006/07/06 07:42:48

	Modified to support making modular policy,if want to make modular policYnot monolithic policy, should to modify the MONOLITHIC to n in build.conf,then run: gmake policy. That will create loadable modular policy. Then based on this you can write your own loadable modular policy as follows:
	write myapp.te file#include the private types for module and allow rules
	write myapp.fc file#define the files' security context
	write myapp.if file#define the interface for other modules
	make install-header #to install the policy header file to /usr/share/sebsd/include/
	make -f /usr/share/sebsd/include/Makefile #create the myapp.pp module
	semodule -i myapp.pp # load the myapp.pp policy module
	semodule -l # using this command can lookup the myapp.pp policy module's status

Affected files ...

.. //depot/projects/soc2006/dongmei_sebsd/Makefile#4 edit
.. //depot/projects/soc2006/dongmei_sebsd/SEBSD-Installation.txt#2 integrate
.. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/Makefile#2 edit
.. //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/Rules.modular#2 edit

Differences ...

==== //depot/projects/soc2006/dongmei_sebsd/Makefile#4 (text+ko) ====


==== //depot/projects/soc2006/dongmei_sebsd/SEBSD-Installation.txt#2 (text+ko) ====

@@ -41,13 +41,24 @@
 
         # pkg_add -r gmake  
 
-3.  Install SEBSD sources. After downloading the sources from 
+3. Enable multilabel support on filesystems. In order for the SEBSD file 
+   labeling to function properly, file label support must be enabled. To
+   enable multilabel support on your system, boot into single user mode
+   and use 'tunefs' to enable multilabel support for each filesystem on
+   your system. Here is an example for /.
+
+	# tunefs -l enable /
+
+   Repeat this step, substituting each other filesystem in place of / as 
+   above.
+
+4.  Install SEBSD sources. After downloading the sources from 
     http://www.trustedbsd.org/sebsd.html, untar them into /usr/src.
 
 	# cd /usr/src
 	# tar -zxf /path/to/sebsd-<version>.tar.gz
 
-4.  Build the SEBSD system. This process is similar to the canonical
+5.  Build the SEBSD system. This process is similar to the canonical
     building of world detailed in the FreeBSD Handbook, with a few
     additional steps, and some re-arranging of the typical order.
 
@@ -85,7 +96,7 @@
        the FreeBSD boot loader.  Refer to the FreeBSD handbook for more
        information on the boot loader.
 
-5. Inspect the SEBSD policy.  The system comes pre-installed with a
+6. Inspect the SEBSD policy.  The system comes pre-installed with a
    sample policy, but local changes might be required.  The policy
    source is located in /etc/security/sebsd/targeted/src/policy and the 
    compiled (binary) version is installed in 
@@ -108,17 +119,16 @@
 
 	/usr/sbin/load_policy /etc/security/sebsd/targeted/policy/policy.20
 
-6. Label the file system.  In step 4b, extended attribute support was
-   enabled in the fstab file , but the individual filesystems were not
-   labeled. To label all file systems, login as root and run the
-   following command:
+7. Label the file system.  In step 3, extended attribute support was
+   enabled, but the individual filesystems were not labeled. To label all 
+   file systems, login as root and run the following command:
 
 	cd /etc/security/sebsd/targeted/src/policy && gmake relabel
 
    Note that you will see several errors during the relabel process as
    well as many permission denials on the system console. This is normal.
 
-7.  Reboot the machine, so that applications can use the file labels
+8.  Reboot the machine, so that applications can use the file labels
     and will be started in the correct domains.
 
 At this point, the machine will be running SEBSD with the sample

==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/Makefile#2 (text+ko) ====

@@ -49,7 +49,7 @@
 CHECKPOLICY := $(BINDIR)/checkpolicy
 CHECKMODULE := $(BINDIR)/checkmodule
 SEMODULE := $(SBINDIR)/semodule
-SEMOD_PKG := $(BINDIR)/semodule_package
+SEMOD_PKG := $(SBINDIR)/semodule_package
 LOADPOLICY := $(SBINDIR)/load_policy
 SETFILES := $(SBINDIR)/setfiles
 GENHOMEDIRCON := $(SBINDIR)/genhomedircon
@@ -136,7 +136,7 @@
 USERPATH = $(INSTALLDIR)/users
 CONTEXTPATH = $(INSTALLDIR)/contexts
 FCPATH = $(CONTEXTPATH)/files/file_contexts
-SHAREDIR = $(PREFIX)/share/selinux
+SHAREDIR = $(PREFIX)/share/sebsd
 MODPKGDIR = $(SHAREDIR)/$(NAME)
 HEADERDIR = $(MODPKGDIR)/include
 DOCSDIR = $(PREFIX)/share/doc/$(PKGNAME)

==== //depot/projects/soc2006/dongmei_sebsd/contrib/sebsd/refpolicy/Rules.modular#2 (text+ko) ====

@@ -73,7 +73,7 @@
 	@test -d $(TMPDIR) || mkdir -p $(TMPDIR)
 	$(call peruser-expansion,$(basename $(@F)),$@.role)
 	$(verbose) m4 $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
-	$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
+	$(verbose) $(CHECKMODULE) -m -o $@ $(@:.mod=.tmp)
 
 $(TMPDIR)/%.mod.fc: $(M4SUPPORT) %.fc
 	@test -d $(TMPDIR) || mkdir -p $(TMPDIR)