Testing and enhancing the policy
With the policy ready and loaded, it is time to start testing the application from a user's perspective, while keeping an eye on the audit logs (for denials) and application output.
Testing the application is an important phase of policy development and will also be the most time consuming task. During testing, several functional features of the application will be tried and the resulting permissions (SELinux-wise) will need to be added to the policy.
In previous recipes, such as Creating a skeleton policy, we enabled a set of permissions based on other policies and common sense. However, these permissions have not been validated and tested yet. In this recipe, we will assert that the permissions are truly needed, as we do not want to create a policy with too many rights associated with it.
How to do it…
Testing policies is a repetitive task. Every try-out means that the AVC denials leading up to the start need to be discarded (as we do not want to include privileges...