Hi.
I'm trying to figure out where the SELinux policy modules shipped with
the system live, and how they work. The modules listed by 'semodule -l'
are the same as those available in
/etc/selinux/targeted/modules/active/modules, but those are not part of
any package, and are presumably added and removed to this location as
they are added and removed to the kernel.
I later found these modules to live in /usr/share/selinux. If I create a
policy module of my own, is this the place to put it to make sure that
it is loaded when the system boots? Or do I also need to list it
somewhere, such in a configuration file? The reason why I ask is because
there are a few .pp files in this directory that are not visible in the
list of loaded modules, and they are also not available in the
/etc/selinux/.../modules directory above.
I today tried to figure out what these precompiled policy packages
contain, but that isn't exactly obvious. I found .if files in
/usr/share/selinux/devel/include/... that correspond to the .pp files in
/usr/share/selinux, but nothing else. The .if files only contain
definitions, but don't these need to be used somewhere, such as in .te
files? And what about the .fc files that the policy generation tool in
system-config-selinux creates? Are such files not needed?
Lots of questions, but the documentation on this subject isn't exactly
stellar. :)
Regards
Ingemar