I've spent the last several weeks doing Fedora/SELinux policy development so that the Likewise Open daemons have just the right amount of access to the system. It was very frustrating at first until I got the right habits and even then it was slower than need be.
Some of my suggestions are ...
Use a VM for testing policy. I had to do a lot of installs, domain joins, and user logins. Being able to revert the VM was essential.
Make sure you everything going wrong by running semodule -DB.
Run in permissive mode. Get as much done on each run as you can. If you run in enforced mode, you'll probably stop at the first problem. Imagine if the compiler stopped printing at the first warning or error.
Analyze the logs, write new rules, regenerate the policy and then try again. The tool audit2allow is very helpful-- I especially love the flag '-R'.
If after doing lots of Google searches, join a mailing list, read the archives and post questions. When all else failed, the denizens of the Fedora SELinux mailing list were extremely helpful.
2 comments:
So did you get it to work without generating the avc denials on .lsassd? If so, why would you not post it here on your blog? It is a very popular topic that lots of people are interested in so that they can apply to their domains.
I submitted my changes to the selinux project. However, the version of Likewise Open that Likewise has available from the website positions its files slightly differently and has made some changes since my initial work.
Post a Comment