How to install SELinux Policy Editor
2005. 07.18
By Yuichi Nakamura <ynakam@gwu.edu>

This is intall document for SELinux Policy Editor and simplified policy.

Contents
1. Before INSTALL
2. Installing Simplified Policy
2.1 . Installing from RPM
2.2  Instaling from  Source
2.3 After install
2.4 How to uninstall
3. Installing GUI
3.1 Install Webmin
3.2 Install GUI

---

1. Before INSTALL
(1) What should you install ?
SELinux Policy Editor is composed of simplified policy and GUI.
Must component is simplified poilcy.
GUI is optional. Without GUI, you can use simplified policy.
But with GUI, SELinux becomes much easier.

(2) Supported environment
We tested it work only on Fedora Core4 and Fedora Core3.
Fedora Core 4 is prefered.
Note that our tool is experimental, may contain serious bugs.
We have no responsibility for the damage that is caused by our tool.
Policy is under construction, now limited serveces are supported, such as auditd, syslog, httpd,  webmin, iptables, network

(3) Switch to runlevel  3.
Example simplified policy does not support X Windows system.
(policy for Fedora Core4 partly support X, but it will not run on enforcing mode.
So you have to run system on run level 3.
Modify /etc/inittab like below.
* Before
id:5:initdefault:
* After
id:3:initdefault:

2. Installing Simplified Policy
To use simplified policy you should install converter(compiler for simplified policy) and sample simplified policy.
You have two choice, one is  from RPM the other is from tarball.

2.1 . Installing from RPM
(1) Download RPM from http://sourceforge.net/projects/seedit/.
- seedit-converter-1.0.0-<distro>.rpm
   compiler for simplified policy
- seedit-policy-easy-1.0.0.-<distro>.rpm
   Sample simplified policy. seedit-policy-easy-1.0.0.-FC3.rpm is for Fedora Core3,
seedit-policy-easy-1.0.0.-FC4.rpm is for Fedora Core4.

(2) Install  RPM
# rpm -ivh seedit-*.rpm

(3) Reboot
After installing, reboot. Relabel will run.

(4) restore type label
And　login as root,  (ignore error messages here)
At first login, type label might not be correct.
So type following commands.
# restorecon -R /dev /etc
# cd /etc/selinux/seedit/src/policy
# make diffrelabel

(5) Reboot again
After logging in , reboot again.

Go to 2.3(After install)

2.2  Instaling from  Source
(1) Download tar ball http://sourceforge.net/projects/seedit/.
- seedit-converter-1.0.0.tar.gz
  compiler for simplified policy
- seedit-policy-1.0.0.tar.gz
 Sample simplified policy

(2)   Install converter
# tar xzvf *.tar.gz
# cd seedit-converter-1.0.0
# make install

(3) Install sample policy
# cd seedit-policy-1.0.0
If you are using Fedora Core3,
edit Make file like below
- before:DISTRO=fc4
- after: DISTRO=fc3
# make install

(4)
# touch /.autorelabel

(5) Edit /etc/selinux/config like following
SELINUX=permissive
SELINUXTYPE=seedit

Go to 2.3

2.3 After install
(1) Make sure that following two lines are included in /etc/selinux/config 
SELINUX=permissive
SELINUXTYPE=seedit

(2)  Make sure that  the result of sestatus is like below.
# sestatus
SELinux status: enabled
...
Policy from config file: seedit
...

(3) If you've installed from source, you need following.
Reboot again. and
# cd /etc/selinux/seedit/src/policy
# make diffrelabel

(4) Edit policy as you like
Test applications and edit policy.
About how to edit policy see "Configuring SELinux by Simplified Policy".
We also provide GUI, by GUI you can easily edit  policy, see 3.

(5) Switch to enforcing mode
If you find policy is sufficient, switch to enforcing mode.
# setenforce 1
and edit /etc/selinux/config like below.
SELINUX=enforcing
SELINUXTYPE=seedit


2.4 How to uninstall
(1) When installed from RPM
# rpm -e seedit-converter seedit-policy-easy
# reboot
On next boot, system will init as permissive mode and targeted policy.
And reboot again.

(2)When installed from tar ball
Edit /etc/selinux/config like below
SELINUX=permissive
SELINUXTYPE=targeted
Then,
# touch /.autorelabel
# rm /usr/local/bin/converter
# rm -rf /etc/selinux/seedit
# reboot.
On next boot, system will init as permissive mode and targeted policy.
And reboot again.

3. Installing GUI(optional)
3.1 Install Webmin
GUI is implemented as webmin module, you need to install webmin.

(1) Install perl-Net-SSLeay
# yum install perl-Net-SSLeay
perl-Net-SSLeay will be installed from fedora-extra.

(2) Download RPM for webmin from http://www.webmin.com/

(3) Install webmin
# rpm -ivh webmin-<version>.rpm

3.2 Install GUI
(1) Download GUI
Download seedit-gui-1.0.0.tar.gz from http://sourceforge.net/projects/seedit/.

(2)
"Webmin configuration" -> " Webmin Modules" -> "Install Module" -> "From localfile"
Select seedit-gui-1.0.0.tar.gz and press "install module"

(3) Edit  /etc/webmin/seedit-gui-1.0.0/config
If you installed simplified policy from source, you should modify "converter_path" entry like below.
converter_path=/usr/local/bin/converter

(4)  
System->SELinux security configuration->Update configuration
Press "Load poliyc and relabel only newly labeled files".

(5) Reboot
Reboot and check miniserv.pl is running as "webmin_t"  domain.

(6) For detail see GUI manual.