experimental relaxed policy
Thomas Molina
tmolina at cablespeed.com
Mon May 3 22:16:57 UTC 2004
> >>There has been some work done on a "relaxed" policy. The intention of
> >>this policy is to simply protect system daemons, and not user logins.
> >>Right now there is just a policy for apache (which doesn't really work
> >>due to a kernel bug). Everything else runs in an "unconfined_t" domain,
> >>which essentially has every SELinux permission, and thus you are back to
> >>relying on DAC.
>
> One of the things we are considering is limiting the number of daemons
> we will lock down. We have picked out
> an arbitrary number of 5 for now and are trying to figure out which are
> the 5 daemons we would like to put in relaxed policy.
>
> My ideas are
>
> apache
> bind
> sendmail
> ftp
> ssh??? (Not sure this one is worth securing).
I am apparently not expressing myself well. My point is that if we are
relaxing policy to the point where you are relying on DAC, what is the
point? I want to test strict policy on those things where it most makes a
difference. In that vein, sendmail and bind are two which have
historically had a lot of problems. I would think those would be
candidates for stricter policy, not more permissive.
More information about the fedora-selinux-list
mailing list