[DSE-User] Advice on modifying policies

[Philip Tricca]

Bill,

Bill Thompson wrote:
> Does anyone have a quick How-To on modifying SElinux polices in Debian?
> I am working with refpolicy-strict in Etch, but am running into a
> number of deny errors for "init" that actually prevent the system from
> booting. The documentation in the refpolcy-src package is a little thin
> and Google is not much help. Any advice would be appreciated.

Last week I was able to set up an Etch Xen domU image with 
refpolicy-strict from the packages in the standard Etch repositories. 
I'm not saying it was easy but I was able to do so without modifying the 
policy directly (I did have to hack the checkfs and checkroot init 
scripts however).

I'm gona go ahead and guess (without knowing anything about your setup) 
that your file system labeling is the problem.  Look into using commands 
like fixfiles to get your file system labeled.  Also realize that every 
service you're running must have a policy defined.  This makes Exim a no 
go from the start (though there has been some work on an Exim policy 
that I'm not familiar with).  Speaking of modules ... tools like 
semodule are important since you must be sure all of the appropriate 
policy modules are loaded.

Both Russel Coker and Erich Schubert have some excellent blog posts 
about getting Etch up with pointers to the relevant packages.  As you 
mention the Debian Wiki has some good stuff.  Dan Walsh probably has the 
best description of what goes into policy development and the SELinux 
supporting tools.

> I promise I'll write a page for the Debian Wiki if I figure it out...

I'm of the opinion that most of the necessary tools and stuff are pretty 
well documented on the web & man pages. Having pointers to these things 
on the SELinux portion of the Debian wiki may be a good idea however.

Good luck,
- Philip

ps. SELinux by example is a pretty good read too: 
http://selinuxbyexample.com/  :-)