SE Linux policy

[Krzysztof Mazurczyk]

Hi all,

I have started playing with new SE Linux. I have it already running.
BTW minor question: There are messages in log that /sbin/unix_verify
is denied to do something. System is seemed to work well. Because 
/sbin/unix_verify is from libpam-modules I'm not sure what to do - 
ignore or add some rules to policy for /sbin/unix_verify.

I can run user-mode-linux from my shell but I need to run UML when main 
system boots. UML should generaly run via nohup program in background 
mode. My main question is how to that.
I'm generally looking for good solution from security point of view and 
relatively easy to do.
I have thought about:
1) Leave UML running in initrc_t domain - now I have but it is bad. Isn't it?
2) Create special domain - is impossible for me yet.
3) Extend rights for existing domains.
4) Run UML via runcon program in init.d script in the same context like 
when run from shell.

3) and 4) are similar somehow but 4) seems to be easier to do.
I can modify policy adding 'allow' rules but I'm not sure if it is
right way in this case.
I haven't found a document like, let's say, 'general advices' containing
advices like: 'what can be do safely', 'what should be avoided', 'if you
do ... remember about ...', 'be careful if you want ...', 'if you allow
... you week policy seriously'. I have feeling that SE Linux policy has 
its own deep philosophy so I'm afraid to make deeper changes in policy
and not to break policy seriously.

Any advices, helps or comments are welcome.

Best regards,
Chris