[DSE-User] Advice on modifying policies
Philip Tricca
phil at noggle.biz
Thu Sep 27 18:09:04 UTC 2007
Bill,
Bill Thompson wrote:
> Does anyone have a quick How-To on modifying SElinux polices in Debian?
> I am working with refpolicy-strict in Etch, but am running into a
> number of deny errors for "init" that actually prevent the system from
> booting. The documentation in the refpolcy-src package is a little thin
> and Google is not much help. Any advice would be appreciated.
Last week I was able to set up an Etch Xen domU image with
refpolicy-strict from the packages in the standard Etch repositories.
I'm not saying it was easy but I was able to do so without modifying the
policy directly (I did have to hack the checkfs and checkroot init
scripts however).
I'm gona go ahead and guess (without knowing anything about your setup)
that your file system labeling is the problem. Look into using commands
like fixfiles to get your file system labeled. Also realize that every
service you're running must have a policy defined. This makes Exim a no
go from the start (though there has been some work on an Exim policy
that I'm not familiar with). Speaking of modules ... tools like
semodule are important since you must be sure all of the appropriate
policy modules are loaded.
Both Russel Coker and Erich Schubert have some excellent blog posts
about getting Etch up with pointers to the relevant packages. As you
mention the Debian Wiki has some good stuff. Dan Walsh probably has the
best description of what goes into policy development and the SELinux
supporting tools.
> I promise I'll write a page for the Debian Wiki if I figure it out...
I'm of the opinion that most of the necessary tools and stuff are pretty
well documented on the web & man pages. Having pointers to these things
on the SELinux portion of the Debian wiki may be a good idea however.
Good luck,
- Philip
ps. SELinux by example is a pretty good read too:
http://selinuxbyexample.com/ :-)
More information about the Selinux-user
mailing list