SELinux Policy Creation
I've just recently gotten into the Linux world about six months ago in our RHEL5 environment. Most of our servers that were provisioned over 18 months ago did not have SELinux enabled.
Now, I've got our servers in Permissive mode and I'm going through the audit logs to determine what needs to be done to set the servers to Enforcing.
The problem is, while I can use ausearch, audit2allow and setsebool commands to eliminate the AVC denials, I can't find any useful information to help me identify whether or not I should allow some of the things that are getting flagged.
For example, I'm getting errors about ifconfig (ifconfig_t)attempting to read a log file (var_log_t). I could set a policy to allow ifconfig_t access to var_log_t contexts, but should I do that? Is there somewhere I can go for these types of answers?
Thanks in advance!
Good question. Apart from SELinux-related distribution-provided documentation, 'audit2why' output, setroubleshoot suggestions and the "SELinux by example" book what remains is searching the 'net for similar issues. Obviously Red Hat's bug tracker pops up at times, Dan Walsh' web log I'd say The selinux Archives (the fedora-selinux mailing list) would be your best bet as that's where people like Daniel J. Walsh and Dominick Grift hang out. As for allowing ifconfig_t access to var_log_t it would be best if you post exact AVC messages as I rather reading those than a description of the problem.
Actually under the how to section there is a *great* write up. I've written one for NOVALUG a while back but this one is superb, check it out, read it, there is no reason you need to set selinux into permissive, it's not as complicated as people make it out to be.
Now writing your own policies, that can be a nightmare. ;)