[DSE-Dev] Fixing up SELinux reference policy for Debian

Manoj Srivastava srivasta at debian.org
Thu May 10 14:13:40 UTC 2007 

Hi folks,


        I have started in earnest to try and get the current reference
 policy to the point where I can create a headless build virtual machine
 running strict policy in enforcing mode.  At this point, I have a
 local.te file that enables me to log in, either as root or as myself,
 mount a hostfs directory, unmount it, and log out.  There were not too
 many differences yet:
,----
| __> egrep allow localStrict.te | wc -l
| 6
| __> egrep dontaudit localStrict.te | wc -l
| 6
`----

        I am attaching the local.te file below for comment; some of this
 should probably go into the refpolicy package, and, eventually,
 upstream. 

        I note, however, that I am not able to install packages without
 AVC denials, copy things out of the hostfs to my home directory, or
 compile anything; so there will be more changes required to the strict
 policy.

        For those interested in the technique I am using, I look at the
 screenlog.0 file (essentially the console of the UML virtual machine;
 would be /var/log/messages on a real box).

        I then use an editor to chop the audit messages in the file into
 separate files, one group of related audit messages per resulting
 file. This allows me to correlate the changes  to the denial messages.

        Next, I look at what audit2allow has to say, and copy the
 reasonable bits into my local policy (using s/^allow/dontaudit/
 liberally where I do not want to give the access).
,----
| __> egrep '^audit' avc.201* | audit2allow -v -m localstrict
| __> $EDITOR localStrict.te
| __> checkmodule -M -m -o localStrict.mod localStrict.te
| __> semodule_package -o localStrict.pp -m localStrict.mod
`----

        Now, I just have to copy the file into my virtual machine
 root_fs, run the virtual machine, and install inside the VM  using
    semodule -i localStrict.pp

        manoj
-- 
Do YOU have redeeming social value?
Manoj Srivastava <srivasta at debian.org> <http://www.debian.org/~srivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

More information about the SELinux-devel mailing list