[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: experimental relaxed policy

Thomas Molina wrote:

On Sun, 2 May 2004, Colin Walters wrote:


There has been some work done on a "relaxed" policy. The intention of
this policy is to simply protect system daemons, and not user logins. Right now there is just a policy for apache (which doesn't really work
due to a kernel bug). Everything else runs in an "unconfined_t" domain,
which essentially has every SELinux permission, and thus you are back to
relying on DAC.

This sounds like a regression to me. Is this going to be instead of further development of the strict policy, or in addition to it?

We are having talks now and are investigating how we can support both a strict and relaxed policy.
Nothing formal has been decided. One of the goals is to figure out how we can have one policy(te) file
shared between them that will work for both. I don't want to end up with and apache-strict.te and an
apache-relaxed.te. But this is probably a matter of tunables within the policy file.

One of the things we are considering is limiting the number of daemons we will lock down. We have picked out
an arbitrary number of 5 for now and are trying to figure out which are the 5 daemons we would like to put in relaxed policy.

My ideas are

ssh???  (Not sure this one is worth securing).

I would like to have other comments on what which daemons should be in the first version of Relaxed policy. We hope to have something out this week.


fedora-selinux-list mailing list
fedora-selinux-list redhat com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]