Settings up a sandbox looks like it would be even more work than creating a custom policy, so I'm working on the policy. Question for the SE_Linux gurus out there. VirtualBox has a number of executable files, scripts, and .so files in a single directory /usr/lib/virtualbox. The main daemon VBoxSVC is also in this dir. Should I use selinux-polgen to create a policy for each executable with its own type, ie VBox_exec_t & VBoxSVC_exec_t & VBoxWhatever_exec_t or just lump them all together under a single exec_t type?
Second question is how should I write the context for this directory? Currently my VirtualBox.fc lists /usr/lib/virtualbox(/.*)? gen_context(system_u:object_r:VirtualBox_rw_t,s0) which gives the main virtualbox exec_t file read/write to that directory, but none of the files within are listed as exec_t type. The problem is that there are both executable files and non-executables in that dir, so I can't just label the whole thing one way. Do I have to change the .fc to list each file individually? Can I just list the exceptions and leave the general rw_t in place for the rest?