Core 2 SELinux installation
Richard Hally
rhally at mindspring.com
Sun May 2 22:14:34 UTC 2004
Stephen Smalley wrote:
> On Fri, 2004-04-30 at 05:40, Pete Chown wrote:
>
>>I think this is especially true for a new security technology. Most
>>people's view of security is quite simplistic: they want the bad guys
>>kept out, without their work being interfered with. If SELinux
>>interferes with their work, they will turn it off, reasoning that normal
>>Unix security has kept the bad guys out so far. They are then unlikely
>>to try it again later however much people tell them that the policy has
>>been improved.
>
>
> So how would people feel about a separate relaxed policy that allows
> everything in the system to run completely unconfined except for a small
> set of specific services, e.g. apache, bind, postfix, ...
> That would ensure that SELinux wouldn't get in the way of users, while
> providing some protection benefit for network-facing services.
>
Another separate example policy would be very good. Additional different
example policies would 1) demonstrate the flexibility on the concept and
mechanism and 2) provide usage information that would useful in
designing a better 'language' or higher level of abstraction. If there
is an improved 'language', implementation and usage would be facilitated.
Richard Hally
More information about the fedora-selinux-list
mailing list