SELinux nightmare

Well, it’s actually not a real nightmare, I just thought this would be a cool title.

As some of you might know I really favor SELinux over AppArmor, although it’s quite hard to use.
Now that EasyLFS is mostly done I am working on it’s SELinux-policy, which is based on the Reference Policy by Tresys.

So far work is progressing quite nicely, the only thing I don’t like about it is that I more or less have no real clue what I’m doing there. Okay, I understand that programs need to access inodes in a certain way, like getting attributes, reading, writing, etc. But what’s still far beyong my understanding is all that domain-crap with it’s transitions and what-nots.
Luckily it seems that currently I don’t really need to care for that too much because I am just building a targeted policy, but still I’d to be able to some day also offer a strict policy for SELinux. That would be so cool!

So, what I am going to do now is this: First I will study the documentation of the Reference Policy on the Tresys-site. If that’s not enough I’m going to buy a fat kickass book about SELinux, probably “SELinux by Example” and read that, instead of continuing my journey to the Dark Tower (I have been there already anyway, just reading it again because I got nothing else right now 😉 ).

I really want to really understand all that stuff. Not only in order to be able to modify the policy. Modifying simple policies is actually easy enough when you check the logs and maybe use audit2allow to tell what’s up. And also SLIDE, that cool SELinux-Policy-development-plugin for Eclipse is quite helpful, but being able to write my own modules to add to the Reference Policy would be a really nice thing.

Well, let’s see. But it’s really time to dive deeper into this.