writing policy requires testing. i usually do my testing in
permissive
mode or with permissive domains.
basically in my initial policy i declare type for know object and
subjects, i make the types usable. Then i add file context
specifications so that the objects are labelled properly. in my initial
policy i also define the domain transitions.
Then i usually test in permissive mode. collect as many AVC denials as i
can and then translate them into human readable policy and extend the
policy module, rebuild, reload and start over again, test, collect,
extend, build, install etc.
Good idea that - switching to permissive mode - as obvious as it might
be, I never thought of that before. Noted!
As for the policy, I haven't yet defined all port interactions yet -
needed to see whether the local binding with mysql would work first
before I plunge myself and do the rest. I also wish to introduce the
restriction for this program to operate on 2 different net interfaces
(with the appropriate port rules for each!), so I haven't got that far yet.