Policy about network-listening daemons running as root?
Daniel J Walsh
dwalsh at redhat.com
Tue May 22 17:16:35 UTC 2007
Tom "spot" Callaway wrote:
> On Tue, 2007-05-22 at 12:52 -0400, Daniel J Walsh wrote:
>
>
>> If it runs as root, it should drop capabilities that it does not need,
>> and it should have an SELinux policy to confine it. Of course if it
>> runs as non-root, it should have an SELinux policy to confine it.
>>
>> These are shoulds not musts.
>>
>
> Dan, is there a simple guide for packagers on how to make SELinux policy
> for these cases?
>
> Also, is it possible to package policy as part of an application, or do
> changes still need to go in the master policy package?
>
> ~spot
>
>
> --
> Fedora-maintainers mailing list
> Fedora-maintainers at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-maintainers
>
I am writing up a guide on writing policy for Red Hat Magazine. I have
a presentation on this at
http://people.redhat.com/dwalsh/SELinux/Presentations/PolicyGeneration.pdf
The latest policycoreutils-gui has a new tool (polgengui) , Which is
launchable from system-config-selinux to help you build a policy.
As far as shipping policy inside or RPM
http://fedoraproject.org/wiki/PackagingDrafts/SELinux
Is the best we have right now.
Dan
More information about the Fedora-maintainers
mailing list