> I did and everything works to absolute perfection!
>
> I couldn't help but try it myself. Both "semodule -i" and
"restorecon
> -rivvF /" (this is what I executed to relabel the whole file system - is
> that right?) ran without any difficulties and did the job as expected.
> When I later on mounted the image and logged in using qemu everything
> was there as expected (semodule -lv shows the newly installed module and
> I also ran cross checks on the SELinux file attributes to see whether
> they were changed with "ls -Z" and they have).
>
sudo restorecon -R -v should usually be suffice.
The -F (force) option is to force customizable types to be reset.
Customizable types are types defined to not relabel by default
Noted, thanks.
> There is a slight drawback to all of this though - for some
(well, most
> really) processes I use non-standard ports (another security measure I
> have taken onboard and implemented). sshd for example is not listening
> on the 'standard' port (tcp/22), but on a different one and this causes
> SELinux to issue "denied { name_bind }" alert. Also, my syslog-ng is
>
For example if ssh bind tcp sockets to port 11000:
sudo semanage port -a -t ssh_port_t -p tcp 11000
Is this type "ssh_port_t" something, which is already registered (as
part of the targeted policy perhaps?) and I am just modifying it or is
this not the case?
> using a directory, which maps to a non-standard directory
(through
> symbolic link - /var/log is a symbolic link to a different/secure
> partition of the disk) and that also causes "denied { read }" with
> "tclass=lnk_file" alert.
>
This will require a patch (need more info : avc denials of this event)
I will post it separately as when I run the image with qemu cutting and
pasting is not as straightforward.
> What documentation source would you recommend for this kind of
job? As
> all alterations will be done through the kickstart file I am going to
> use command line tools only - no GUI!
>
www.selinuxbyexample.com
By the best doc, uptodate and all, is the source policy. writing policy
isnt so hard but theres a lot of it usually. and if you focus on the
amount of rules then its easy to think that stuff is complex.
If you take away all the types, then it boils down to the core, which
are type statements, classes, attributes, types, interfaces, templates,
permissions, permission sets, and a few mpre of those things. You can
learn all about those by just studying the source policy.
www.selinuxproject.org also has some nice docs.
Noted, many thanks!
I am really liking this - today tried to execute "semodule -lv >
loaded_modules.txt" (as root and pwd -> /root) and instantly got an
alert - semodule was prevented from creating that file! Lovely stuff!