Chris PeBenito 7c347c

Switching to Targeted Reference Policy

Chris PeBenito 01e30c

Chris PeBenito 67b899
	The targeted policy is now available on Fedora systems in the
Chris PeBenito 67b899
	development repositories (Rawhide), as selinux-policy-targeted 2.*.
Chris PeBenito 67b899
	If you are using Rawhide, simply update your policy using yum.
Chris PeBenito 01e30c
	This guide will walk you through switching to the targeted reference
Chris PeBenito 67b899
	policy on a Fedora system not using these repositories.
Chris PeBenito 01e30c

Chris PeBenito 01e30c

Chris PeBenito 01e30c
	Download and unpack the policy
Chris PeBenito 01e30c
Chris PeBenito 01e30c

Chris PeBenito d299d7
	The policy is available
Chris PeBenito 01e30c
	from Sourceforge.  Download the policy, and unpack it to a temporary
Chris PeBenito 01e30c
	directory.  Then use the install-src make target to install the policy
Chris PeBenito 01e30c
	sources.
Chris PeBenito 7c347c

Chris PeBenito 7c347c
Chris PeBenito 01e30c
Chris PeBenito 556113
# tar -jxvf refpolicy-20050922.tar.bz2 -C /tmp
Chris PeBenito d299d7
# cd /tmp/refpolicy
Chris PeBenito d299d7
# make install-src
Chris PeBenito 01e30c
Chris PeBenito 7c347c
Chris PeBenito 01e30c

Chris PeBenito 01e30c
	Configure the policy
Chris PeBenito 01e30c
Chris PeBenito 01e30c

Chris PeBenito 7c347c
	The policy source is found in the
Chris PeBenito 7c347c
	/etc/selinux/refpolicy/src/policy/ directory.
Chris PeBenito 7c347c

Chris PeBenito 7c347c
Chris PeBenito 7c347c
Chris PeBenito d299d7
# cd /etc/selinux/refpolicy/src/policy
Chris PeBenito 7c347c
Chris PeBenito 7c347c
Chris PeBenito 7c347c

Chris PeBenito d299d7
	Edit the policy Makefile (/etc/selinux/refpolicy/src/policy/Makefile).
Chris PeBenito d299d7
	Near the top of the file, the policy has a few build options.
Chris PeBenito 556113
	The TYPE needs to be set to targeted, the DISTRO option needs to be
Chris PeBenito 556113
	uncommented and set to redhat, and DIRECT_INITRC should be set to y.
Chris PeBenito 01e30c

Chris PeBenito 7c347c
Chris PeBenito 01e30c
Chris PeBenito 01e30c
########################################
Chris PeBenito 01e30c
#
Chris PeBenito 01e30c
# Configurable portions of the Makefile
Chris PeBenito 01e30c
#
Chris PeBenito 01e30c
Chris PeBenito 01e30c
# Policy version
Chris PeBenito 01e30c
# By default, checkpolicy will create the highest
Chris PeBenito 01e30c
# version policy it supports.  Setting this will
Chris PeBenito 01e30c
# override the version.
Chris PeBenito 01e30c
#OUTPUT_POLICY = 18
Chris PeBenito 01e30c
Chris PeBenito 01e30c
# Policy Type
Chris PeBenito 556113
# strict, targeted,
Chris PeBenito 556113
# strict-mls, targeted-mls,
Chris PeBenito 556113
# strict-mcs, targeted-mcs
Chris PeBenito 01e30c
TYPE = <font color=red>targeted</font>
Chris PeBenito 01e30c
Chris PeBenito 01e30c
# Policy Name
Chris PeBenito 01e30c
# If set, this will be used as the policy
Chris PeBenito 01e30c
# name.  Otherwise the policy type will be
Chris PeBenito 01e30c
# used for the name.
Chris PeBenito 01e30c
NAME = refpolicy
Chris PeBenito 01e30c
Chris PeBenito 01e30c
# Distribution
Chris PeBenito 01e30c
# Some distributions have portions of policy
Chris PeBenito 01e30c
# for programs or configurations specific to the
Chris PeBenito 01e30c
# distribution.  Setting this will enable options
Chris PeBenito 01e30c
# for the distribution.
Chris PeBenito 01e30c
# redhat, gentoo, debian, and suse are current options.
Chris PeBenito 01e30c
# Fedora users should enable redhat.
Chris PeBenito 01e30c
<font color=red>DISTRO = redhat</font>
Chris PeBenito 01e30c
Chris PeBenito 556113
# Direct admin init
Chris PeBenito 556113
# Setting this will allow sysadm to directly
Chris PeBenito 556113
# run init scripts, instead of requring run_init.
Chris PeBenito 556113
# This is a build option, as role transitions do
Chris PeBenito 556113
# not work in conditional policy.
Chris PeBenito 556113
DIRECT_INITRC=<font color=red>y</font>
Chris PeBenito 556113
Chris PeBenito 01e30c
# Build monolithic policy.  Putting n here
Chris PeBenito 01e30c
# will build a loadable module policy.
Chris PeBenito 01e30c
# Only monolithic policies are currently supported.
Chris PeBenito 01e30c
MONOLITHIC=y
Chris PeBenito 01e30c
Chris PeBenito 01e30c
# Uncomment this to disable command echoing
Chris PeBenito 01e30c
#QUIET:=@
Chris PeBenito 01e30c
Chris PeBenito 7c347c
Chris PeBenito 01e30c

Chris PeBenito 7c347c
	Install the policy
Chris PeBenito 01e30c
Chris PeBenito 7c347c

Chris PeBenito 7c347c
	Next, install the policy, application configuration files, and
Chris PeBenito 7c347c
	file contexts.
Chris PeBenito 7c347c

Chris PeBenito 7c347c
Chris PeBenito 01e30c
Chris PeBenito d299d7
# make install
Chris PeBenito 01e30c
Chris PeBenito 7c347c
Chris PeBenito 01e30c

Chris PeBenito 01e30c
	Change SELinux Configuration
Chris PeBenito 01e30c
Chris PeBenito 01e30c

Chris PeBenito 01e30c
	Modify the /etc/selinux/config file, and set SELINUXTYPE to refpolicy.
Chris PeBenito 01e30c
	It should look similar to this:
Chris PeBenito 01e30c

Chris PeBenito 7c347c
Chris PeBenito 01e30c
Chris PeBenito 01e30c
# This file controls the state of SELinux on the system.
Chris PeBenito 01e30c
# SELINUX= can take one of these three values:
Chris PeBenito 01e30c
#       enforcing - SELinux security policy is enforced.
Chris PeBenito 01e30c
#       permissive - SELinux prints warnings instead of enforcing.
Chris PeBenito 01e30c
#       disabled - No SELinux policy is loaded.
Chris PeBenito 01e30c
SELINUX=enforcing
Chris PeBenito 01e30c
# SELINUXTYPE= can take one of these two values:
Chris PeBenito 01e30c
#       targeted - Only targeted network daemons are protected.
Chris PeBenito 01e30c
#       strict - Full SELinux protection.
Chris PeBenito 01e30c
SELINUXTYPE=<font color=red>refpolicy</font>
Chris PeBenito 01e30c
Chris PeBenito 7c347c
Chris PeBenito 01e30c

Chris PeBenito 7c347c
	Restart and Relabel
Chris PeBenito 01e30c
Chris PeBenito 01e30c

Chris PeBenito 01e30c
	The system needs to be restarted with the new policy, and relabeled
Chris PeBenito d299d7
	on booting, to finalize the switch.
Chris PeBenito 01e30c

Chris PeBenito 7c347c
Chris PeBenito 01e30c
Chris PeBenito d299d7
# touch /.autorelabel
Chris PeBenito d299d7
# shutdown -r now
Chris PeBenito 01e30c
Chris PeBenito 7c347c