Chapter 8 explained the syntax and operation of the statements that make up the SELinux policy language. This chapter explains how to customize SELinux policies. It begins by reviewing the structure of the SELinux policy source tree and the Makefile that’s used to compile, build, and load an SELinux policy. The chapter then explains several typical policy customizations of the sort you’re most likely to perform. Most often, you’ll use customizations recommended by the Audit2allow program. However, you’ll need to carefully review such recommendations rather than blindly implement them. Otherwise, you may extend an unnecessarily broad set of permissions, thereby compromising system security. The chapter concludes with descriptions of some policy management tools, along with hints and procedures for using them.
Chapter 5 explained
structure of the SELinux policy source tree. The source tree
typically resides in the directory
/etc/security/selinux/src/policy; however, your
SELinux distribution may place it elsewhere. Table 9-1 recaps the structure of the policy source tree. You’ll likely find it convenient to refer to this table as you read this chapter; it will help you locate the file that contains a particular type of declaration, the file to which you should add a particular type of declaration, or the directory in which you should create the file to hold a particular type of declaration. In other words, ...