create new policy

xml/security_cryptopolicy.xml

@@ -114,7 +114,7 @@
  policies, therefore see the man page of
  <command>crypto-policies</command>. All predefined policies are located
  in
- <filename>/usr/share/crypto-policies/policies<replaceable>NAME</replaceable>.pol</filename>
+ <filename>/usr/share/crypto-policies/policies/<replaceable>NAME</replaceable>.pol</filename>
  and are read-only.
  </para>
  </sect1>
@@ -178,8 +178,8 @@
  <filename>/usr/share/crypto-policies/policies/modules</filename>.
  However, your own subpolicies need to be stored in
  <filename>/etc/crypto-policies/policies/modules</filename> (unless they
- are packaged) . The name of the subpolicy file must be
- <replaceable>MODULE</replaceable>.pmod, where
+ are packaged). The name of the subpolicy file must be
+ <filename><replaceable>MODULE</replaceable>.pmod</filename>, where
  <replaceable>MODULE</replaceable> is the name of the subpolicy. It needs
  to be spelled in uppercase letters and without spaces.
  </para>
@@ -216,7 +216,6 @@
  Assuming the current system-wide policy is
  <literal>DEFAULT</literal> and you want to apply the newly created
  subpolicy to <literal>DEFAULT</literal>:
- command:
  </para>
 <screen>&prompt.root;<command>update-crypto-policies --set DEFAULT:NO-RSA-PSK</command></screen>
  </step>
@@ -226,17 +225,79 @@
  <literal>DEFAULT</literal>:
  </para>
 <screen><command>update-crypto-policies --show</command>
- DEFAULT:NO-RSA-PSK</screen>
+DEFAULT:NO-RSA-PSK</screen>
  </step>
  <step>
  <para>
  Reboot the system to apply the system-wide policy adjustment to the
- applications.
+ applications:
  </para>
+<screen>&prompt.root;<command>reboot</command></screen>
  </step>
  </procedure>
  </example>
+ </sect1>
+ <sect1>
+ <title>Creating a new policy from scratch</title>
+
+ <para>
+ Instead of customizing an existing crypto-policy with a subpolicy you can
+ also decide to write a new policy from scratch. You can use any of the
+ predefined policies in
+ <filename>/usr/share/crypto-policies/policies/</filename> as a starting
+ point. However, your own policy file needs to be stored in
+ <filename>/etc/crypto-policies/policies/</filename>. Name your file
+ <filename><replaceable>MY_POLICY</replaceable>.pol</filename>, where
+ <replaceable>MY_POLICY</replaceable> is the name of the policy. Make sure
+ it is owned by &rootuser; and is not writable by non-privileged users.
+ </para>
 
- <!--todo: add another section how to create a new policy from scratch-->
+ <example xml:id="ex-crypto-policy-custom">
+ <title>Creating a new policy and applying it</title>
+ <para>
+ The following example shows you how to create a new policy based on the
+ <literal>DEFAULT</literal> policy.
+ </para>
+ <procedure>
+ <step>
+ <para>
+ Copy the <literal>DEFAULT</literal> policy to
+ <filename>/etc/crypto-policies/policies/</filename> and rename it:
+ </para>
+<screen>cp /usr/share/crypto-policies/policies/DEFAULT.pol /etc/crypto-policies/policies/<replaceable>MY_POLICY</replaceable>.pol</screen>
+ </step>
+ <step>
+ <para>
+ Edit the policy as desired and save it.
+ </para>
+ </step>
+ <step>
+ <para>
+ Switch the system to the new policy:
+ </para>
+<screen>&prompt.root;<command>update-crypto-policies --set MY_POLICY</command></screen>
+ </step>
+ <step>
+ <para>
+ Reboot the system to apply the new policy to the
+ applications and running services:
+ </para>
+<screen>&prompt.root;<command>reboot</command></screen>
+ </step>
+ <step>
+ <para>
+ Double-check if the policy is active:
+ </para>
+<screen><command>update-crypto-policies --show</command>
+MY_POLICY</screen>
+ </step>
+ <step>
+ <para>
+ Reboot the system to apply the system-wide policy adjustment to the
+ applications.
+ </para>
+ </step>
+ </procedure>
+ </example>
  </sect1>
 </chapter>