selinux-policy/www/html/switch.html

137 lines
3.5 KiB
HTML
Raw Normal View History

2005-08-01 17:55:04 +00:00
<h1>Switching to Targeted Reference Policy</h1>
2005-07-27 14:32:12 +00:00
<p>
This guide will walk you through switching to the targeted reference
policy on a Fedora system. Note: Reference Policy should not yet
be used on production systems.
2005-07-27 14:32:12 +00:00
<p>
<h2>
Download and unpack the policy
</h2>
<p>
2005-08-02 15:19:49 +00:00
The policy is <a href="index.php?page=download">available</a>
2005-07-27 14:32:12 +00:00
from Sourceforge. Download the policy, and unpack it to a temporary
directory. Then use the install-src make target to install the policy
sources.
2005-08-01 17:55:04 +00:00
</p>
<div id="codeblock">
2005-07-27 14:32:12 +00:00
<pre>
2005-09-22 19:11:59 +00:00
# <b>tar -jxvf refpolicy-20050922.tar.bz2 -C /tmp</b>
2005-08-02 15:19:49 +00:00
# <b>cd /tmp/refpolicy</b>
# <b>make install-src</b>
2005-07-27 14:32:12 +00:00
</pre>
2005-08-01 17:55:04 +00:00
</div>
2005-07-27 14:32:12 +00:00
<h2>
Configure the policy
</h2>
2005-08-01 17:55:04 +00:00
<p>
The policy source is found in the
/etc/selinux/refpolicy/src/policy/ directory.
</p>
<div id="codeblock">
<pre>
2005-08-02 15:19:49 +00:00
# <b>cd /etc/selinux/refpolicy/src/policy</b>
2005-08-01 17:55:04 +00:00
</pre>
</div>
2005-07-27 14:32:12 +00:00
<p>
2005-08-02 15:19:49 +00:00
Edit the policy Makefile (/etc/selinux/refpolicy/src/policy/Makefile).
Near the top of the file, the policy has a few build options.
2005-09-22 19:11:59 +00:00
The TYPE needs to be set to targeted, the DISTRO option needs to be
uncommented and set to redhat, and DIRECT_INITRC should be set to y.
2005-07-27 14:32:12 +00:00
</p>
2005-08-01 17:55:04 +00:00
<div id="codeblock">
2005-07-27 14:32:12 +00:00
<pre>
########################################
#
# Configurable portions of the Makefile
#
# Policy version
# By default, checkpolicy will create the highest
# version policy it supports. Setting this will
# override the version.
#OUTPUT_POLICY = 18
# Policy Type
2005-09-22 19:11:59 +00:00
# strict, targeted,
# strict-mls, targeted-mls,
# strict-mcs, targeted-mcs
2005-07-27 14:32:12 +00:00
TYPE = <font color=red><b>targeted</b></font>
# Policy Name
# If set, this will be used as the policy
# name. Otherwise the policy type will be
# used for the name.
NAME = refpolicy
# Distribution
# Some distributions have portions of policy
# for programs or configurations specific to the
# distribution. Setting this will enable options
# for the distribution.
# redhat, gentoo, debian, and suse are current options.
# Fedora users should enable redhat.
<font color=red><b>DISTRO = redhat</b></font>
2005-09-22 19:11:59 +00:00
# Direct admin init
# Setting this will allow sysadm to directly
# run init scripts, instead of requring run_init.
# This is a build option, as role transitions do
# not work in conditional policy.
DIRECT_INITRC=<font color=red><b>y</b></font>
2005-07-27 14:32:12 +00:00
# Build monolithic policy. Putting n here
# will build a loadable module policy.
# Only monolithic policies are currently supported.
MONOLITHIC=y
# Uncomment this to disable command echoing
#QUIET:=@
</pre>
2005-08-01 17:55:04 +00:00
</div>
2005-07-27 14:32:12 +00:00
<h2>
2005-08-01 17:55:04 +00:00
Install the policy
2005-07-27 14:32:12 +00:00
</h2>
2005-08-01 17:55:04 +00:00
<p>
Next, install the policy, application configuration files, and
file contexts.
</p>
<div id="codeblock">
2005-07-27 14:32:12 +00:00
<pre>
2005-08-02 15:19:49 +00:00
# <b>make install</b>
2005-07-27 14:32:12 +00:00
</pre>
2005-08-01 17:55:04 +00:00
</div>
2005-07-27 14:32:12 +00:00
<h2>
Change SELinux Configuration
</h2>
<p>
Modify the /etc/selinux/config file, and set SELINUXTYPE to refpolicy.
It should look similar to this:
</p>
2005-08-01 17:55:04 +00:00
<div id="codeblock">
2005-07-27 14:32:12 +00:00
<pre>
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=<font color=red><b>refpolicy</b></font>
</pre>
2005-08-01 17:55:04 +00:00
</div>
2005-07-27 14:32:12 +00:00
<h2>
2005-08-01 17:55:04 +00:00
Restart and Relabel
2005-07-27 14:32:12 +00:00
</h2>
<p>
The system needs to be restarted with the new policy, and relabeled
2005-08-02 15:19:49 +00:00
on booting, to finalize the switch.
2005-07-27 14:32:12 +00:00
</p>
2005-08-01 17:55:04 +00:00
<div id="codeblock">
2005-07-27 14:32:12 +00:00
<pre>
2005-08-02 15:19:49 +00:00
# <b>touch /.autorelabel</b>
# <b>shutdown -r now</b>
2005-07-27 14:32:12 +00:00
</pre>
2005-08-01 17:55:04 +00:00
</div>