2005-08-01 17:55:04 +00:00
|
|
|
<h1>Switching to Targeted Reference Policy</h1>
|
2005-07-27 14:32:12 +00:00
|
|
|
<p>
|
|
|
|
This guide will walk you through switching to the targeted reference
|
2005-08-02 15:40:39 +00:00
|
|
|
policy on a Fedora system. Note: Reference Policy should not yet
|
|
|
|
be used on production systems.
|
2005-07-27 14:32:12 +00:00
|
|
|
<p>
|
|
|
|
<h2>
|
|
|
|
Download and unpack the policy
|
|
|
|
</h2>
|
|
|
|
<p>
|
2005-08-02 15:19:49 +00:00
|
|
|
The policy is <a href="index.php?page=download">available</a>
|
2005-07-27 14:32:12 +00:00
|
|
|
from Sourceforge. Download the policy, and unpack it to a temporary
|
|
|
|
directory. Then use the install-src make target to install the policy
|
|
|
|
sources.
|
2005-08-01 17:55:04 +00:00
|
|
|
</p>
|
|
|
|
<div id="codeblock">
|
2005-07-27 14:32:12 +00:00
|
|
|
<pre>
|
2005-09-22 19:11:59 +00:00
|
|
|
# <b>tar -jxvf refpolicy-20050922.tar.bz2 -C /tmp</b>
|
2005-08-02 15:19:49 +00:00
|
|
|
# <b>cd /tmp/refpolicy</b>
|
|
|
|
# <b>make install-src</b>
|
2005-07-27 14:32:12 +00:00
|
|
|
</pre>
|
2005-08-01 17:55:04 +00:00
|
|
|
</div>
|
2005-07-27 14:32:12 +00:00
|
|
|
<h2>
|
|
|
|
Configure the policy
|
|
|
|
</h2>
|
2005-08-01 17:55:04 +00:00
|
|
|
<p>
|
|
|
|
The policy source is found in the
|
|
|
|
/etc/selinux/refpolicy/src/policy/ directory.
|
|
|
|
</p>
|
|
|
|
<div id="codeblock">
|
|
|
|
<pre>
|
2005-08-02 15:19:49 +00:00
|
|
|
# <b>cd /etc/selinux/refpolicy/src/policy</b>
|
2005-08-01 17:55:04 +00:00
|
|
|
</pre>
|
|
|
|
</div>
|
2005-07-27 14:32:12 +00:00
|
|
|
<p>
|
2005-08-02 15:19:49 +00:00
|
|
|
Edit the policy Makefile (/etc/selinux/refpolicy/src/policy/Makefile).
|
|
|
|
Near the top of the file, the policy has a few build options.
|
2005-09-22 19:11:59 +00:00
|
|
|
The TYPE needs to be set to targeted, the DISTRO option needs to be
|
|
|
|
uncommented and set to redhat, and DIRECT_INITRC should be set to y.
|
2005-07-27 14:32:12 +00:00
|
|
|
</p>
|
2005-08-01 17:55:04 +00:00
|
|
|
<div id="codeblock">
|
2005-07-27 14:32:12 +00:00
|
|
|
<pre>
|
|
|
|
########################################
|
|
|
|
#
|
|
|
|
# Configurable portions of the Makefile
|
|
|
|
#
|
|
|
|
|
|
|
|
# Policy version
|
|
|
|
# By default, checkpolicy will create the highest
|
|
|
|
# version policy it supports. Setting this will
|
|
|
|
# override the version.
|
|
|
|
#OUTPUT_POLICY = 18
|
|
|
|
|
|
|
|
# Policy Type
|
2005-09-22 19:11:59 +00:00
|
|
|
# strict, targeted,
|
|
|
|
# strict-mls, targeted-mls,
|
|
|
|
# strict-mcs, targeted-mcs
|
2005-07-27 14:32:12 +00:00
|
|
|
TYPE = <font color=red><b>targeted</b></font>
|
|
|
|
|
|
|
|
# Policy Name
|
|
|
|
# If set, this will be used as the policy
|
|
|
|
# name. Otherwise the policy type will be
|
|
|
|
# used for the name.
|
|
|
|
NAME = refpolicy
|
|
|
|
|
|
|
|
# Distribution
|
|
|
|
# Some distributions have portions of policy
|
|
|
|
# for programs or configurations specific to the
|
|
|
|
# distribution. Setting this will enable options
|
|
|
|
# for the distribution.
|
|
|
|
# redhat, gentoo, debian, and suse are current options.
|
|
|
|
# Fedora users should enable redhat.
|
|
|
|
<font color=red><b>DISTRO = redhat</b></font>
|
|
|
|
|
2005-09-22 19:11:59 +00:00
|
|
|
# Direct admin init
|
|
|
|
# Setting this will allow sysadm to directly
|
|
|
|
# run init scripts, instead of requring run_init.
|
|
|
|
# This is a build option, as role transitions do
|
|
|
|
# not work in conditional policy.
|
|
|
|
DIRECT_INITRC=<font color=red><b>y</b></font>
|
|
|
|
|
2005-07-27 14:32:12 +00:00
|
|
|
# Build monolithic policy. Putting n here
|
|
|
|
# will build a loadable module policy.
|
|
|
|
# Only monolithic policies are currently supported.
|
|
|
|
MONOLITHIC=y
|
|
|
|
|
|
|
|
# Uncomment this to disable command echoing
|
|
|
|
#QUIET:=@
|
|
|
|
</pre>
|
2005-08-01 17:55:04 +00:00
|
|
|
</div>
|
2005-07-27 14:32:12 +00:00
|
|
|
<h2>
|
2005-08-01 17:55:04 +00:00
|
|
|
Install the policy
|
2005-07-27 14:32:12 +00:00
|
|
|
</h2>
|
2005-08-01 17:55:04 +00:00
|
|
|
<p>
|
|
|
|
Next, install the policy, application configuration files, and
|
|
|
|
file contexts.
|
|
|
|
</p>
|
|
|
|
<div id="codeblock">
|
2005-07-27 14:32:12 +00:00
|
|
|
<pre>
|
2005-08-02 15:19:49 +00:00
|
|
|
# <b>make install</b>
|
2005-07-27 14:32:12 +00:00
|
|
|
</pre>
|
2005-08-01 17:55:04 +00:00
|
|
|
</div>
|
2005-07-27 14:32:12 +00:00
|
|
|
<h2>
|
|
|
|
Change SELinux Configuration
|
|
|
|
</h2>
|
|
|
|
<p>
|
|
|
|
Modify the /etc/selinux/config file, and set SELINUXTYPE to refpolicy.
|
|
|
|
It should look similar to this:
|
|
|
|
</p>
|
2005-08-01 17:55:04 +00:00
|
|
|
<div id="codeblock">
|
2005-07-27 14:32:12 +00:00
|
|
|
<pre>
|
|
|
|
# This file controls the state of SELinux on the system.
|
|
|
|
# SELINUX= can take one of these three values:
|
|
|
|
# enforcing - SELinux security policy is enforced.
|
|
|
|
# permissive - SELinux prints warnings instead of enforcing.
|
|
|
|
# disabled - No SELinux policy is loaded.
|
|
|
|
SELINUX=enforcing
|
|
|
|
# SELINUXTYPE= can take one of these two values:
|
|
|
|
# targeted - Only targeted network daemons are protected.
|
|
|
|
# strict - Full SELinux protection.
|
|
|
|
SELINUXTYPE=<font color=red><b>refpolicy</b></font>
|
|
|
|
</pre>
|
2005-08-01 17:55:04 +00:00
|
|
|
</div>
|
2005-07-27 14:32:12 +00:00
|
|
|
<h2>
|
2005-08-01 17:55:04 +00:00
|
|
|
Restart and Relabel
|
2005-07-27 14:32:12 +00:00
|
|
|
</h2>
|
|
|
|
<p>
|
|
|
|
The system needs to be restarted with the new policy, and relabeled
|
2005-08-02 15:19:49 +00:00
|
|
|
on booting, to finalize the switch.
|
2005-07-27 14:32:12 +00:00
|
|
|
</p>
|
2005-08-01 17:55:04 +00:00
|
|
|
<div id="codeblock">
|
2005-07-27 14:32:12 +00:00
|
|
|
<pre>
|
2005-08-02 15:19:49 +00:00
|
|
|
# <b>touch /.autorelabel</b>
|
|
|
|
# <b>shutdown -r now</b>
|
2005-07-27 14:32:12 +00:00
|
|
|
</pre>
|
2005-08-01 17:55:04 +00:00
|
|
|
</div>
|