[DSE-User] Advice on modifying policies
Philip Tricca
phil at noggle.biz
Thu Sep 27 18:14:51 UTC 2007
Correction:
>> Does anyone have a quick How-To on modifying SElinux polices in Debian?
>> I am working with refpolicy-strict in Etch, but am running into a
>> number of deny errors for "init" that actually prevent the system from
>> booting. The documentation in the refpolcy-src package is a little thin
>> and Google is not much help. Any advice would be appreciated.
>
> Last week I was able to set up an Etch Xen domU image with
> refpolicy-strict from the packages in the standard Etch repositories.
> I'm not saying it was easy but I was able to do so without modifying the
> policy directly (I did have to hack the checkfs and checkroot init
> scripts however).
This was done on a Lenny install, not Etch.
> I'm gona go ahead and guess (without knowing anything about your setup)
> that your file system labeling is the problem. Look into using commands
> like fixfiles to get your file system labeled. Also realize that every
> service you're running must have a policy defined. This makes Exim a no
> go from the start (though there has been some work on an Exim policy
> that I'm not familiar with). Speaking of modules ... tools like
> semodule are important since you must be sure all of the appropriate
> policy modules are loaded.
>
> Both Russel Coker and Erich Schubert have some excellent blog posts
> about getting Etch up with pointers to the relevant packages. As you
> mention the Debian Wiki has some good stuff. Dan Walsh probably has the
> best description of what goes into policy development and the SELinux
> supporting tools.
>
>> I promise I'll write a page for the Debian Wiki if I figure it out...
>
> I'm of the opinion that most of the necessary tools and stuff are pretty
> well documented on the web & man pages. Having pointers to these things
> on the SELinux portion of the Debian wiki may be a good idea however.
> ps. SELinux by example is a pretty good read too:
> http://selinuxbyexample.com/ :-)
Sorry for the confusion,
- Philip
More information about the Selinux-user
mailing list