Wiki Navigation

TracNav menu

Tresys Open Source Projects
Home
SELinux Reference Policy
SETools Policy Analysis Suite
SELinux Policy IDE (SLIDE)
CDS Framework IDE
Policy Management Server
Certifiable Linux Integration Platform (CLIP)
Secure IPC Library

Switching to Targeted Reference Policy

The reference policy is now available on Fedora Core 5 systems and newer, and Red Hat Enterprise Linux 5, as selinux-policy 2.*. If you are using Rawhide, simply update your policy using yum. This guide will walk you through switching to the targeted reference policy on a basic Fedora Core 4 system.

Download and unpack the policy

The policy is available from the DownloadRelease page. Download the policy, and unpack it to a temporary directory. Then use the install-src make target to install the policy sources.

# tar -jxvf refpolicy-20071214.tar.bz2 -C /tmp

# cd /tmp/refpolicy
# make install-src

Configure the policy

The policy source is found in the /etc/selinux/refpolicy/src/policy/ directory.

# cd /etc/selinux/refpolicy/src/policy

Edit the policy build.conf file (/etc/selinux/refpolicy/src/policy/build.conf). Near the top of the file, the policy has a few build options. The DISTRO option needs to be uncommented and set to redhat, and DIRECT_INITRC should be set to y.

########################################
#
# Policy build options
#

# Policy version
# By default, checkpolicy will create the highest
# version policy it supports.  Setting this will
# override the version.  This only has an
# effect for monolithic policies.
#OUTPUT_POLICY = 18

# Policy Type
# standard, mls, mcs
TYPE = standard

# Policy Name
# If set, this will be used as the policy
# name.  Otherwise the policy type will be
# used for the name.
NAME = refpolicy

# Distribution
# Some distributions have portions of policy
# for programs or configurations specific to the
# distribution.  Setting this will enable options
# for the distribution.
# redhat, gentoo, debian, suse, and rhel4 are current options.
# Fedora users should enable redhat.
DISTRO = redhat

# Unknown Permissions Handling
# The behavior for handling permissions defined in the
# kernel but missing from the policy.  The permissions
# can either be allowed, denied, or the policy loading
# can be rejected.
# allow, deny, and reject are current options.
#UNK_PERMS = deny

# Direct admin init
# Setting this will allow sysadm to directly
# run init scripts, instead of requring run_init.
# This is a build option, as role transitions do
# not work in conditional policy.
DIRECT_INITRC=y

# Build monolithic policy.  Putting n here
# will build a loadable module policy.
MONOLITHIC=y

# Number of MLS Sensitivities
# The sensitivities will be s0 to s(MLS_SENS-1).
# Dominance will be in increasing numerical order
# with s0 being lowest.
MLS_SENS=16

# Number of MLS Categories
# The categories will be c0 to c(MLS_CATS-1).
MLS_CATS=256

# Number of MCS Categories
# The categories will be c0 to c(MLS_CATS-1).
MCS_CATS=256

# Set this to y to only display status messages
# during build.
QUIET=n

Install the policy

Next, install the policy, application configuration files, and file contexts.

# make install

Change SELinux Configuration

Modify the /etc/selinux/config file, and set SELINUXTYPE to refpolicy. It should look similar to this:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.
SELINUXTYPE=refpolicy

Restart and Relabel

The system needs to be restarted with the new policy, and relabeled on booting, to finalize the switch.

# touch /.autorelabel
# shutdown -r now

Download in other formats:

Plain Text