selinux-refpolicy/www/html/switch.html

138 lines
3.6 KiB
HTML

<h1>Switching to Targeted Reference Policy</h1>
<p>
The targeted policy is now available on Fedora Core 5 systems, as selinux-policy-targeted 2.*.
If you are using Rawhide, simply update your policy using yum.
This guide will walk you through switching to the targeted reference
policy on a Fedora system not using these repositories.
<p>
<h2>
Download and unpack the policy
</h2>
<p>
The policy is <a href="index.php?page=download">available</a>
from Sourceforge. Download the policy, and unpack it to a temporary
directory. Then use the install-src make target to install the policy
sources.
</p>
<div id="codeblock">
<pre>
# <b>tar -jxvf refpolicy-20050922.tar.bz2 -C /tmp</b>
# <b>cd /tmp/refpolicy</b>
# <b>make install-src</b>
</pre>
</div>
<h2>
Configure the policy
</h2>
<p>
The policy source is found in the
/etc/selinux/refpolicy/src/policy/ directory.
</p>
<div id="codeblock">
<pre>
# <b>cd /etc/selinux/refpolicy/src/policy</b>
</pre>
</div>
<p>
Edit the policy Makefile (/etc/selinux/refpolicy/src/policy/Makefile).
Near the top of the file, the policy has a few build options.
The TYPE needs to be set to targeted, the DISTRO option needs to be
uncommented and set to redhat, and DIRECT_INITRC should be set to y.
</p>
<div id="codeblock">
<pre>
########################################
#
# Configurable portions of the Makefile
#
# Policy version
# By default, checkpolicy will create the highest
# version policy it supports. Setting this will
# override the version.
#OUTPUT_POLICY = 18
# Policy Type
# strict, targeted,
# strict-mls, targeted-mls,
# strict-mcs, targeted-mcs
TYPE = <font color=red><b>targeted</b></font>
# Policy Name
# If set, this will be used as the policy
# name. Otherwise the policy type will be
# used for the name.
NAME = refpolicy
# Distribution
# Some distributions have portions of policy
# for programs or configurations specific to the
# distribution. Setting this will enable options
# for the distribution.
# redhat, gentoo, debian, and suse are current options.
# Fedora users should enable redhat.
<font color=red><b>DISTRO = redhat</b></font>
# Direct admin init
# Setting this will allow sysadm to directly
# run init scripts, instead of requring run_init.
# This is a build option, as role transitions do
# not work in conditional policy.
DIRECT_INITRC=<font color=red><b>y</b></font>
# Build monolithic policy. Putting n here
# will build a loadable module policy.
# Only monolithic policies are currently supported.
MONOLITHIC=y
# Uncomment this to disable command echoing
QUIET:=n
</pre>
</div>
<h2>
Install the policy
</h2>
<p>
Next, install the policy, application configuration files, and
file contexts.
</p>
<div id="codeblock">
<pre>
# <b>make install</b>
</pre>
</div>
<h2>
Change SELinux Configuration
</h2>
<p>
Modify the /etc/selinux/config file, and set SELINUXTYPE to refpolicy.
It should look similar to this:
</p>
<div id="codeblock">
<pre>
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=<font color=red><b>refpolicy</b></font>
</pre>
</div>
<h2>
Restart and Relabel
</h2>
<p>
The system needs to be restarted with the new policy, and relabeled
on booting, to finalize the switch.
</p>
<div id="codeblock">
<pre>
# <b>touch /.autorelabel</b>
# <b>shutdown -r now</b>
</pre>
</div>