SELinux configuration (was:Re: Proposal: Discourage rpmbuild --sign)

Lamar Owen lowen at pari.edu
Sat Jan 3 13:43:51 UTC 2004


On Wednesday 31 December 2003 08:25 pm, Alan Cox wrote:
> Once SELinux is in the picture the rules change. You can set up the
> buildroot for example with rules of the form
>
> 	Nothing but a trusted copy of rpm may alter the buildroot proper
> 	The building task in the buildroot may not alter anything outside its
> build tree The building task may not talk to the network
> 	The building task may not run the trusted copy of rpm
> 	The building task many not read anything outside the buildroot

Since this topic has been breached, I'm kindof interested in what sort of 
configuration tools are going to be packaged to manage the SELinux stuff.  
This whole thing sounds very powerful, very flexible, and very complicated, 
from the learning curve point of view.

This whole thing reminds me somewhat of a ZoneAlarm on steroids: being able to 
restrict network access on a per-task basis, while being a very small part of 
SELinux, reminds me of ZA's capability to restrict programmatic network 
access.  That capability sounds very good and would be one I would use.  But 
to make it work well good tools for manipulating this stuff, without making 
it too complicated (yet showing the power of the tool), will have to be 
written.  A tool that quickly conveys the full power of SELinux, but yet is 
intuitive to use.
-- 
Lamar Owen
Director of Information Technology
Pisgah Astronomical Research Institute
1 PARI Drive
Rosman, NC  28772
(828)862-5554
www.pari.edu





More information about the fedora-devel-list mailing list