Since FC2t2 was just delayed due to SELinux, no doubt you're wondering
"How do I help with SELinux hacking so I can get my hands on test2?"
The simplest way is to install from rawhide, use the system in as many
ways as you can, and file bug reports against the 'policy' package for any
'avc: denied' messages that show up in the system logs. Please make sure
to check that the bug hasn't already been filed. Try to include all the
information on the problem:
The 'avc: denied' messages themselves.
How to reproduce them:
Which program to run or actions to take
What environment to reproduce in - root login or regular
user login, su session, sudo session, graphical or text
environment, etc.
Whether SELinux in enforcing mode
What file system type (ext3, NFS) might be involved in the
bug
Whether or not you have rebooted since last upgrading your
policy package.
What version of the policy package you have installed
('rpm -q policy')
If you want to go beyond just reporting problems, an even better thing to
do is to write policy to fix the problems you find, and then submit the
policy changes. There are tons of things we have never tried and are
almost guaranteed to blow up. If we have to write policy for all of them,
it will take a very long time.
The audit2allow utility (part of the policycoreutils package) may be
useful here.
If you want to know more about SELinux and writing policies for it, you
can visit http://www.tresys.com/selinux/selinux-course-outline.html
Another tack to take when writing policies is to look at existing policies
for similar programs. For example, if you're writing a policy for rshd,
the policy for sshd might make a good start.
(Kudos to Dan Walsh for all the content here)
-- Elliot
