diff --git a/www/html/switch.html b/www/html/switch.html new file mode 100644 index 0000000..b76caf6 --- /dev/null +++ b/www/html/switch.html @@ -0,0 +1,104 @@ +

Switching to Reference Policy

+

+ This guide will walk you through switching to the targeted reference + policy on a Fedora system. +

+

+ Download and unpack the policy +

+

+ The policy is available and + from Sourceforge. Download the policy, and unpack it to a temporary + directory. Then use the install-src make target to install the policy + sources. + +

+# tar -jxvf refpolicy-20050711.tar.bz2 -C /tmp
+# cd /tmp/refpolicy
+# make install-src
+
+

+ Configure the policy +

+

+ Near the top of the policy Makefile, the policy has a few build options. + The TYPE needs to be set to targeted, and the DISTRO option needs to be + uncommented, and set to redhat. The Makefile is found in the + /etc/selinux/refpolicy/src/policy/ directory. +

+
+########################################
+#
+# Configurable portions of the Makefile
+#
+
+# Policy version
+# By default, checkpolicy will create the highest
+# version policy it supports.  Setting this will
+# override the version.
+#OUTPUT_POLICY = 18
+
+# Policy Type
+# strict, targeted, strict-mls, targeted-mls
+TYPE = targeted
+
+# Policy Name
+# If set, this will be used as the policy
+# name.  Otherwise the policy type will be
+# used for the name.
+NAME = refpolicy
+
+# Distribution
+# Some distributions have portions of policy
+# for programs or configurations specific to the
+# distribution.  Setting this will enable options
+# for the distribution.
+# redhat, gentoo, debian, and suse are current options.
+# Fedora users should enable redhat.
+DISTRO = redhat
+
+# Build monolithic policy.  Putting n here
+# will build a loadable module policy.
+# Only monolithic policies are currently supported.
+MONOLITHIC=y
+
+# Uncomment this to disable command echoing
+#QUIET:=@
+
+

+ Install the binary policy and application configuration files +

+
+# cd /etc/selinux/refpolicy/src/policy
+# make install
+
+

+ Change SELinux Configuration +

+

+ Modify the /etc/selinux/config file, and set SELINUXTYPE to refpolicy. + It should look similar to this: +

+
+# This file controls the state of SELinux on the system.
+# SELINUX= can take one of these three values:
+#       enforcing - SELinux security policy is enforced.
+#       permissive - SELinux prints warnings instead of enforcing.
+#       disabled - No SELinux policy is loaded.
+SELINUX=enforcing
+# SELINUXTYPE= can take one of these two values:
+#       targeted - Only targeted network daemons are protected.
+#       strict - Full SELinux protection.
+SELINUXTYPE=refpolicy
+
+

+ Relabel +

+

+ The system needs to be restarted with the new policy, and relabeled + on booting. +

+
+# touch /.autorelabel
+# shutdown -r now
+