With the release of Red Hat Enterprise Linux 5 Beta 2, I am getting more questions about customizing policy. In RHEL4 we advised people to install the selinux-policy-targeted-sources packages and then to create a local.te file in the /etc/selinux/targeted/src/policy/domains/misc directory. You could use audit2allow to translate the AVC messages into allow rules and then the admin could rebuild policy and reload. The problem with this was that everytime a new policy package got released it would have to exec the Makefile in order to try to keep the local policy. Well with the release of Red Hat Enterprise Linux 5, this all changes. We have eliminated the “sources” rpm packages altogether. We are treating the policy packages more like the kernel, and if you want to look at the sources used to build the policy, you need to install source rpm, selinux-policy-XYZ.src.rpm. We have added an selinux-policy-devel package, which I will talk about later.
So what does an administrator do when he wants to make some small modifications to policy?