The approach I used some years ago was to start by reading the NSA docs as best I could, though I did not take them in even close to fully, but I’m still glad I didn’t skip that step. They seem to be here now, I’m out of date at this point https://www.nsa.gov/what-we-do/research/selinux/documentation/ Next I read the some redhat and centos docs for practical steps to get the targeted policy running on my systems - they are a relief at that point! It has boiled down for me to fixing file context rules first and only adding new policy rules when there was a need and it made sense. There have been times when I generated policy blindly with the tool audit2allow just to get something running as being better than nothing. But experience has shown me that it is worth the time when I have it to figure out which of those were needed and which I was better off blocking. SELinux has been my friend in terms of saving me from buggy software as well. Let me know if you’d like some links. Also this is cool: http://people.redhat.com/duffy/selinux/selinux-coloring-book_A4-Stapled.pdf Maria > On Aug 1, 2016, at 6:20 PM, Parker, Michael D. <Michael.D.Parker@xxxxxx> wrote: > > What are you all doing/have done to boot strap your knowledge about SELinux? > > ***** ***** ***** > Michael D. Parker > General Atomics - EMS > Michael.d.parker@xxxxxx <<<<< NOTE: Remember to include my middle initial >>>>> > +1 858 964 6675 / Office 86-1319 > 16969 Mesamint Street / San Diego / CA / 92127 > > ************************************************************************ > CONFIDENTIALITY NOTICE: This communication is intended to be confidential to the > person(s) to whom it is addressed. If you are not the intended recipient or the agent of the > intended recipient or if you are unable to deliver this communication to the intended > recipient, you must not read, use or disseminate this information. If you have received > this communication in error,please advise the sender immediately by telephone and delete > this messageand any attachments without retaining a copy. > ************************************************************************* > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
