<h1>Switching to Targeted Reference Policy</h1> <p> The targeted policy is now available on Fedora systems in the development repositories (Rawhide), as selinux-policy-targeted 2.*. If you are using Rawhide, simply update your policy using yum. This guide will walk you through switching to the targeted reference policy on a Fedora system not using these repositories. <p> <h2> Download and unpack the policy </h2> <p> The policy is <a href="index.php?page=download">available</a> from Sourceforge. Download the policy, and unpack it to a temporary directory. Then use the install-src make target to install the policy sources. </p> <div id="codeblock"> <pre> # <b>tar -jxvf refpolicy-20050922.tar.bz2 -C /tmp</b> # <b>cd /tmp/refpolicy</b> # <b>make install-src</b> </pre> </div> <h2> Configure the policy </h2> <p> The policy source is found in the /etc/selinux/refpolicy/src/policy/ directory. </p> <div id="codeblock"> <pre> # <b>cd /etc/selinux/refpolicy/src/policy</b> </pre> </div> <p> Edit the policy Makefile (/etc/selinux/refpolicy/src/policy/Makefile). Near the top of the file, the policy has a few build options. The TYPE needs to be set to targeted, the DISTRO option needs to be uncommented and set to redhat, and DIRECT_INITRC should be set to y. </p> <div id="codeblock"> <pre> ######################################## # # Configurable portions of the Makefile # # Policy version # By default, checkpolicy will create the highest # version policy it supports. Setting this will # override the version. #OUTPUT_POLICY = 18 # Policy Type # strict, targeted, # strict-mls, targeted-mls, # strict-mcs, targeted-mcs TYPE = <font color=red><b>targeted</b></font> # Policy Name # If set, this will be used as the policy # name. Otherwise the policy type will be # used for the name. NAME = refpolicy # Distribution # Some distributions have portions of policy # for programs or configurations specific to the # distribution. Setting this will enable options # for the distribution. # redhat, gentoo, debian, and suse are current options. # Fedora users should enable redhat. <font color=red><b>DISTRO = redhat</b></font> # Direct admin init # Setting this will allow sysadm to directly # run init scripts, instead of requring run_init. # This is a build option, as role transitions do # not work in conditional policy. DIRECT_INITRC=<font color=red><b>y</b></font> # Build monolithic policy. Putting n here # will build a loadable module policy. # Only monolithic policies are currently supported. MONOLITHIC=y # Uncomment this to disable command echoing #QUIET:=@ </pre> </div> <h2> Install the policy </h2> <p> Next, install the policy, application configuration files, and file contexts. </p> <div id="codeblock"> <pre> # <b>make install</b> </pre> </div> <h2> Change SELinux Configuration </h2> <p> Modify the /etc/selinux/config file, and set SELINUXTYPE to refpolicy. It should look similar to this: </p> <div id="codeblock"> <pre> # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=<font color=red><b>refpolicy</b></font> </pre> </div> <h2> Restart and Relabel </h2> <p> The system needs to be restarted with the new policy, and relabeled on booting, to finalize the switch. </p> <div id="codeblock"> <pre> # <b>touch /.autorelabel</b> # <b>shutdown -r now</b> </pre> </div>