Tweaking a system to work properly with SE Linux

In a typical Unix system most noteworthy things run as root and have full access to the system. Because of this the variety of scripts used in running a system have little structure and it is often difficult to get them to work nicely in a domain-type security model.
In this document I will list a number of minor changes that may be required to a typical Linux system to make it run with SE Linux.

libnss-db requires that all programs get access to the database directory (/var/lib/misc by default) and the files under it. The policy could be adjusted to assign etc_t to the directory containing those files, and the cron job used to rebuild the databases would need to be granted write access to etc_t.
However I have not bothered doing this as nss-db on Linux still has issues due to having no mechanism for automatic updates and for the applications to determine whether the flat-file or the db has the most current data. If the Linux implementation was as good as the AIX implementation then I would sort this out. However I don't feel inclined to write policy for something that has so many problems (and which does not actually give a performance benefit in the vast majority of systems).
Postfix runs with most of it's programs in a chroot environment in the default configuration. In Debian if you have a chroot enabled for any daemon then whenever Postfix is started the chroot will be rebuilt. I did not want to grant the Postfix startup scripts the access needed to rebuild this, and it seems to offer little benefit as the SE Linux policy for Postfix is far more restrictive than a chroot on a regular Unix system. So I recommend configuring Postfix to not run any of it's programs in a chroot.
The script /etc/init.d/nfs-kernel-server in Debian runs rpcinfo to check on the capabilities of the nfsd before running the mountd. Comment out the following two lines because we don't want to allow initrc_t so much access. If you are running a kernel with NFS v3 support then it will be OK like this, if your kernel does not have NFS 3 support then manually add the "--no-nfs-version 3" option.
```
$PREFIX/bin/rpcinfo -u localhost nfs 3 >/dev/null 2>&1 ||
    RPCMOUNTDOPTS="$RPCMOUNTDOPTS --no-nfs-version 3"
```
The setserial package in Debian has init scripts that need to run ls under /dev which requires more access for the initrc_t domain. One solution is to replace the scripts /etc/init.d/setserial and /etc/init.d/etc_setserial with a single script that directly runs setserial on the devices that need it. I just disables those scripts on my systems as the defaults work fine.
In Debian the script /etc/cron.daily/standard tries to make a backup copy of /etc/shadow, but the default SE Linux policy does not permit this. Comment out the relevant lines.
Remove /dev/[tp]ty[abcdepqrstuvwxyz][0-9a-f] . There is currently no support in SE Linux for old-style pseudo-tty's, only for Unix98 /dev/pts, and there is no plans to add it. This is no loss as all Linux software supports Unix98.
In Debian the sysklogd recreates /dev/xconsole on every boot. This is a silly thing to do but the package maintainer wants to do it anyway. Comment the relevant lines in /etc/init.d/sysklogd.