102
Chapter 8. Customizing and Writing Policy
2. Build and test your policy. You can test locally on your development machine, or follow the outline
of this procedure to deploy custom binary policy files to your test environment. Use apol to analyze
your policy, as described in Section 6.3 Using apol for Policy Analysis.
3. When you are ready to deploy, use
tar
to pack your policy files. Notice that the source directory
is not included.
tar czvf tgt.tgz targeted/policy/ targeted/contexts/ \
targeted/booleans
Alternately, you can use
star
so that you can preserve the xattrs for the policy files. This is
explained in Section 5.1.4 Make Backups or Archives That Retain Security Contexts. However,
since you are going to initiate a relabel on boot anyway, you can use
tar
instead. The policy
files unpack and gain the default file label such as
system_u:object_r:default_t
and are
relabeled upon boot.
4. If this is the first time the custom policy has been deployed on this system, you need to configure
SELinux to use the policy on the next boot.
Note
It is extremely difficult to change policy without rebooting the system. The file system needs to be
relabeled and every process starting with init needs to be restarted under the new policy. This
is the reason rebooting is required for switching policy.
In
/etc/selinux/config
, change the value for
SELINUXTYPE
to the name of the new policy.
The name is the same as the directory name in
/etc/selinux
. For example, the custom policy at
/etc/selinux/custom/
has the value of
SELINUXTYPE=custom
.
You can do this using system config securitylevel. Under the SELinux tab, change the Policy
Type: to custom. This area of system config securitylevel is automatically populated from the
names of actual policy directories under
/etc/selinux/
.
5. Initiate a reboot and relabel.
touch /.autorelabel
reboot
6. If you have troubles getting the custom policy to work on the test or production environment, work
through the denials like you did when writing the policy in the first place.
a. Make sure the file system is labeled correctly. If you cannot
touch /.autorelabel
,
either use
setenforce 0
or boot into permissive mode.
You may need to boot into single user mode and attempt a manual relabel of the file
system. Although this is not normally recommended, it can be a working method to get
enough labeling correct to have the
/.autorelabel
work correctly. You can read more
about this at Section 5.2.2 Relabel a File System.
b. Work through the denial errors one at a time. You may need to temporarily install the
policy source to relabel or rebuild the policy.
footer
Our partners:
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Jsp Hosting
Cheap Hosting
Visionwebhosting.net Business web hosting division of Web
Design Plus. All rights reserved