I have not been active with SELinux recently. I was seriously lacking motivation, and recently the old server I was using to test my SELinux stuff died because of a hardware failure.

But these days I installed vmware, and in order to try it out, I decided to install a SELinux Debian etch system. Then I also updated my policy packages.

I actually did quite some progress on the packages; I not only merged the latest upstream SVN version, I also fixed a couple of Debian policy issues (or worked around them), and added some new functionality.

First of all, I extended the update tool (now called update-selinux-policy). It will not only install the current version of each module, but also rerun autodetection and install additional modules if you added software in the meantime (it won’t do the relabeling for you, though). This should make system administration a lot easier.

The packages now come with a -dev companion, which includes the interface files. The README.Debian file details how you can use this to build a custom policy module, and the policygentool included will actually generate a template for you. This should make the development of policy modules a lot easier.

Grab the policy packages from my experimental refpolicy directory.

Note: while they share the “refpolicy” source name with the packages in Debian main, they are packaged independently. Manoj is maintaining the official packages, and I never learned how his Makefiles work, so I’m sticking to my own packaging for my development stuff.

Oh, and for me they don’t work in enforcing strict mode at boot yet. Policy is still incomplete for Debian (but down to ~25 audit errors). Targeted mode works in enforcing at boot time. The main issue seems to be the way Debians init ramdisk is working and the /dev directory is populated.

But maybe I can host a SELinux-enabled basic vmware image somewhere you could use for cloning yourself SELinux servers as needed.

I don’t think I’ll keep the packages updated frequently, sorry, and I don’t think I’ll have time to get enforcing working for strict, either. :-(