How to help with SELinux

Elliot Lee sopwith at redhat.com
Fri Feb 27 17:21:09 UTC 2004


Since FC2t2 was just delayed due to SELinux, no doubt you're wondering
"How do I help with SELinux hacking so I can get my hands on test2?"

The simplest way is to install from rawhide, use the system in as many
ways as you can, and file bug reports against the 'policy' package for any
'avc: denied' messages that show up in the system logs. Please make sure 
to check that the bug hasn't already been filed. Try to include all the 
information on the problem:
	The 'avc: denied' messages themselves.
	How to reproduce them:
		Which program to run or actions to take

		What environment to reproduce in - root login or regular 
		user login, su session, sudo session, graphical or text 
		environment, etc.

		Whether SELinux in enforcing mode

		What file system type (ext3, NFS) might be involved in the 
		bug

		Whether or not you have rebooted since last upgrading your 
		policy package.

		What version of the policy package you have installed 
		('rpm -q policy')

If you want to go beyond just reporting problems, an even better thing to
do is to write policy to fix the problems you find, and then submit the
policy changes. There are tons of things we have never tried and are
almost guaranteed to blow up. If we have to write policy for all of them,
it will take a very long time.

The audit2allow utility (part of the policycoreutils package) may be 
useful here.

If you want to know more about SELinux and writing policies for it, you 
can visit http://www.tresys.com/selinux/selinux-course-outline.html
Another tack to take when writing policies is to look at existing policies 
for similar programs. For example, if you're writing a policy for rshd, 
the policy for sshd might make a good start.

(Kudos to Dan Walsh for all the content here)
-- Elliot





More information about the fedora-devel-list mailing list