Proceeding with my SELinux experience wrapup:

  • never call /etc/init.d/something. Use run_init /etc/init.d/something. It usually will appear to have worked, but the contexts will be wrong and you’ll get odd violations. (i’ve read that the fedora guys have found a way for at least cron to transition into its proper domain automatically)
  • never use apt-get or dpkg in a modifying call directly. Use se_dpkg and se_apt-get. In fact i recommend adding an alias. (you’ll survive having to enter your password for things like “dpkg -L”, or use /usr/bin/dpkg) I bet these things could be avoided if one would make apt-get and dpkg selinux-aware, but unless selinux is in main i prefer this wrapper-solution.
  • avoid things like “audit2allow”. Try to understand the macros and write proper policy rules. Use “dontaudit” when the access is not needed. For example: dontaudit { dpkg_t apt_t } newrole_t:fd { use };

Fucked today in unstable: cron. If you don’t need “crontab”, you can just touch /usr/bin/crontab and it will configure and cron should run. But no crontab editing until the next upload (which probably is in incoming)