Switching to Targeted Reference Policy

	This guide will walk you through switching to the targeted reference

	policy on a Fedora system.  Note: Reference Policy should not yet

	be used on production systems.

	Download and unpack the policy

	The policy is available

	from Sourceforge.  Download the policy, and unpack it to a temporary

	directory.  Then use the install-src make target to install the policy

	sources.

# tar -jxvf refpolicy-20050802.tar.bz2 -C /tmp

# cd /tmp/refpolicy

# make install-src

	Configure the policy

	The policy source is found in the

	/etc/selinux/refpolicy/src/policy/ directory.

	Use the example targeted modules configuration.

# cd /etc/selinux/refpolicy/src/policy

# cp policy/modules.conf.targeted_example policy/modules.conf

	Edit the policy Makefile (/etc/selinux/refpolicy/src/policy/Makefile).

	Near the top of the file, the policy has a few build options.

	The TYPE needs to be set to targeted, and the DISTRO option needs to be

	uncommented and set to redhat.

########################################

#

# Configurable portions of the Makefile

#

# Policy version

# By default, checkpolicy will create the highest

# version policy it supports.  Setting this will

# override the version.

#OUTPUT_POLICY = 18

# Policy Type

# strict, targeted, strict-mls, targeted-mls

TYPE = <font color=red>targeted</font>

# Policy Name

# If set, this will be used as the policy

# name.  Otherwise the policy type will be

# used for the name.

NAME = refpolicy

# Distribution

# Some distributions have portions of policy

# for programs or configurations specific to the

# distribution.  Setting this will enable options

# for the distribution.

# redhat, gentoo, debian, and suse are current options.

# Fedora users should enable redhat.

<font color=red>DISTRO = redhat</font>

# Build monolithic policy.  Putting n here

# will build a loadable module policy.

# Only monolithic policies are currently supported.

MONOLITHIC=y

# Uncomment this to disable command echoing

#QUIET:=@

	Install the policy

	Next, install the policy, application configuration files, and

	file contexts.

# make install

	Change SELinux Configuration

	Modify the /etc/selinux/config file, and set SELINUXTYPE to refpolicy.

	It should look similar to this:

# This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:

#       enforcing - SELinux security policy is enforced.

#       permissive - SELinux prints warnings instead of enforcing.

#       disabled - No SELinux policy is loaded.

SELINUX=enforcing

# SELINUXTYPE= can take one of these two values:

#       targeted - Only targeted network daemons are protected.

#       strict - Full SELinux protection.

SELINUXTYPE=<font color=red>refpolicy</font>

	Restart and Relabel

	The system needs to be restarted with the new policy, and relabeled

	on booting, to finalize the switch.

# touch /.autorelabel

# shutdown -r now