The targeted policy is now available on Fedora Core 5 systems, as selinux-policy-targeted 2.*. If you are using Rawhide, simply update your policy using yum. This guide will walk you through switching to the targeted reference policy on a Fedora system not using these repositories.
The policy is available from Sourceforge. Download the policy, and unpack it to a temporary directory. Then use the install-src make target to install the policy sources.
# tar -jxvf refpolicy-20050922.tar.bz2 -C /tmp # cd /tmp/refpolicy # make install-src
The policy source is found in the /etc/selinux/refpolicy/src/policy/ directory.
# cd /etc/selinux/refpolicy/src/policy
Edit the policy Makefile (/etc/selinux/refpolicy/src/policy/Makefile). Near the top of the file, the policy has a few build options. The TYPE needs to be set to targeted, the DISTRO option needs to be uncommented and set to redhat, and DIRECT_INITRC should be set to y.
######################################## # # Configurable portions of the Makefile # # Policy version # By default, checkpolicy will create the highest # version policy it supports. Setting this will # override the version. #OUTPUT_POLICY = 18 # Policy Type # strict, targeted, # strict-mls, targeted-mls, # strict-mcs, targeted-mcs TYPE = targeted # Policy Name # If set, this will be used as the policy # name. Otherwise the policy type will be # used for the name. NAME = refpolicy # Distribution # Some distributions have portions of policy # for programs or configurations specific to the # distribution. Setting this will enable options # for the distribution. # redhat, gentoo, debian, and suse are current options. # Fedora users should enable redhat. DISTRO = redhat # Direct admin init # Setting this will allow sysadm to directly # run init scripts, instead of requring run_init. # This is a build option, as role transitions do # not work in conditional policy. DIRECT_INITRC=y # Build monolithic policy. Putting n here # will build a loadable module policy. # Only monolithic policies are currently supported. MONOLITHIC=y # Uncomment this to disable command echoing QUIET:=n
Next, install the policy, application configuration files, and file contexts.
# make install
Modify the /etc/selinux/config file, and set SELINUXTYPE to refpolicy. It should look similar to this:
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of these two values: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=refpolicy
The system needs to be restarted with the new policy, and relabeled on booting, to finalize the switch.
# touch /.autorelabel # shutdown -r now