This is the selinux development thread.
Current test version of the confinement is in post number 2.
State: non-productive test systems. Many AVC notices. Blacklist needs improvements
The confinement is fully functional at base level. A full test of all precached features is needed.
Every precached binary and folder is part of the confinement. port 8023 is preset as usable for the not currently per default running web server.
Precached is able to load/unload files into memory while in permissive mode.
Todo
Precached Selinux Guide
change working directory to pkg_precached_selinux
Change on version update
precached.te > policy_module(precached, 1.1.1)
precached_selinux.spec > %define selinux_policyver 1.1.1
precached_selinux.spec > Version: 1.1
WARNING deletes and generate new policy, only use for new barebone policy
$ DIDYOUREADME sudo sepolicy generate --init /usr/sbin/precached
Check syntax, test and build policy
$ sudo ./precached.sh
Update precached.pp policy
$ sudo make -f /usr/share/selinux/devel/Makefile precached.pp
Install precached.pp policy (optional)
$ sudo /usr/sbin/semodule -i precached.pp
Check syntax, test and build policy (optional)
$ sudo ./precached.sh
Install policy
$ sudo dnf install ./noarch/precached_selinux-1.1-1.fc30.noarch.rpm
Check for re confinement
$ ls -Zd /var/lib/precached/ && ls -Zd /usr/sbin/iotracectl
Restart precached service
$ sudo systemctl restart precached
Check for avc notices
(cherry pick needed allow rules from the next 2 commands into precached.te per hand)
$ sudo ausearch -c 'precached' --raw | audit2allow -M my-precached
$ sudo ausearch -c 'precached/fanot' --raw | audit2allow -M my-precachedfanot
Check syntax, test and build policy
$ sudo ./precached.sh --update
Switch to enforcing after the policy reached a stable level
remove "permissive precached_t;" from precached.te
To avoid issues the domain can be set to permissive at first use
$ sudo semanage permissive -a precached_t