Any ways here is what the latest tool looks like in Fedora 15. I will demonstrate writing a policy for sandbox. I thought about writing policy to run thunderbird within a sandbox.
Select Sandbox, Hit Forward
You need to name the policy, In this case I called it sandbox_mail. Click Forward
Since the sandbox_mail app will not be binding to any network ports, I click Forward again.
I add ports 25, 143, 993 as ports the sandbox will be allowed to connect to. Forward.
I decide I want to create a boolean called sandbox_mail_connect_all, with the goal of allowing the domain to connect to the entire network.
I tell the tool to create the policy files in the /tmp directory and click Apply.
The selinux-polgengui tool creates the the policy files and a script to install them.
Now you execute the sandbox_mail.sh install script.
# sh sandbox_mail.sh
Building and Loading Policy
+ make -f /usr/share/selinux/devel/Makefile
Compiling targeted sandbox_mail module
/usr/bin/checkmodule: loading policy configuration from tmp/sandbox_mail.tmp
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 10) to tmp/sandbox_mail.mod
Creating targeted sandbox_mail.pp policy package
rm tmp/sandbox_mail.mod tmp/sandbox_mail.mod.fc
+ /usr/sbin/semodule -i sandbox_mail.pp
Now you can test out your policy in a different terminal
> sandbox -X -t sandbox_mail_t thunderbird
Thunderbird should run fine, since selinux-polgengui defined the SELinux types as permissive. You might want to use a permanent Home and Tmp since you will need to configure the thunderbird setup.
After running some test with thunderbird, you can use the audit2allow tool to generate more rules for your sandbox_mail sandbox.
# grep sandbox_mail_t /var/log/audit/audit.log | audit2allow -R >> sandbox_mail.te
Examine the generated rules to see if they make sense.
# shell sandbox_mail.sh
Try the sandbox again and see if you eliminated all of the AVC's. When you are satisfied the policy works the way you want, you can remove the permissive lines from the te file.
Please send any Ideas on improving the GUI to me.