[CentOS] SELinux policy module sources

Mon May 5 16:42:30 UTC 2008
Ingemar Nilsson <init at kth.se>


I'm trying to figure out where the SELinux policy modules shipped with 
the system live, and how they work. The modules listed by 'semodule -l' 
are the same as those available in 
/etc/selinux/targeted/modules/active/modules, but those are not part of 
any package, and are presumably added and removed to this location as 
they are added and removed to the kernel.

I later found these modules to live in /usr/share/selinux. If I create a 
policy module of my own, is this the place to put it to make sure that 
it is loaded when the system boots? Or do I also need to list it 
somewhere, such in a configuration file? The reason why I ask is because 
there are a few .pp files in this directory that are not visible in the 
list of loaded modules, and they are also not available in the 
/etc/selinux/.../modules directory above.

I today tried to figure out what these precompiled policy packages 
contain, but that isn't exactly obvious. I found .if files in 
/usr/share/selinux/devel/include/... that correspond to the .pp files in 
/usr/share/selinux, but nothing else. The .if files only contain 
definitions, but don't these need to be used somewhere, such as in .te 
files? And what about the .fc files that the policy generation tool in 
system-config-selinux creates? Are such files not needed?

Lots of questions, but the documentation on this subject isn't exactly 
stellar. :)