Gitiles
Code Review Sign In
review.shift-gmbh.com / SHIFTPHONES / mainline / linux / 2fae3ecc70405b72ea6c923b216d34547559d6a9 / . / Documentation / admin-guide / LSM / SELinux.rst
blob: 520a1c2c6fd2781402df590c3850c6f5ebf5a410 [file] [log] [blame]
Kees Cook229fd052017-05-13 04:51:44 -0700[diff] [blame]1=======
2SELinux
3=======
4
Serge E. Hallyn93c06cb2008-08-26 14:47:57 -0500[diff] [blame]5If you want to use SELinux, chances are you will want
6to use the distro-provided policies, or install the
7latest reference policy release from
Kees Cook229fd052017-05-13 04:51:44 -0700[diff] [blame]8
Petr Vorel04276122018-11-17 07:25:55 +0100[diff] [blame]9 https://github.com/SELinuxProject/refpolicy
Serge E. Hallyn93c06cb2008-08-26 14:47:57 -0500[diff] [blame]10
11However, if you want to install a dummy policy for
Kees Cook229fd052017-05-13 04:51:44 -0700[diff] [blame]12testing, you can do using ``mdp`` provided under
Serge E. Hallyn93c06cb2008-08-26 14:47:57 -0500[diff] [blame]13scripts/selinux. Note that this requires the selinux
14userspace to be installed - in particular you will
15need checkpolicy to compile a kernel, and setfiles and
16fixfiles to label the filesystem.
17
18 1. Compile the kernel with selinux enabled.
Kees Cook229fd052017-05-13 04:51:44 -0700[diff] [blame]19 2. Type ``make`` to compile ``mdp``.
Serge E. Hallyn93c06cb2008-08-26 14:47:57 -0500[diff] [blame]20 3. Make sure that you are not running with
21 SELinux enabled and a real policy. If
22 you are, reboot with selinux disabled
23 before continuing.
Kees Cook229fd052017-05-13 04:51:44 -0700[diff] [blame]24 4. Run install_policy.sh::
25
Serge E. Hallyn93c06cb2008-08-26 14:47:57 -0500[diff] [blame]26 cd scripts/selinux
27 sh install_policy.sh
28
29Step 4 will create a new dummy policy valid for your
30kernel, with a single selinux user, role, and type.
Kees Cook229fd052017-05-13 04:51:44 -0700[diff] [blame]31It will compile the policy, will set your ``SELINUXTYPE`` to
32``dummy`` in ``/etc/selinux/config``, install the compiled policy
33as ``dummy``, and relabel your filesystem.