experimental relaxed policy

Daniel J Walsh dwalsh at redhat.com
Mon May 3 14:48:05 UTC 2004


Thomas Molina wrote:

>On Sun, 2 May 2004, Colin Walters wrote:
>
>  
>
>>Hi,
>>
>>There has been some work done on a "relaxed" policy.  The intention of
>>this policy is to simply protect system daemons, and not user logins. 
>>Right now there is just a policy for apache (which doesn't really work
>>due to a kernel bug).  Everything else runs in an "unconfined_t" domain,
>>which essentially has every SELinux permission, and thus you are back to
>>relying on DAC.
>>    
>>
>
>This sounds like a regression to me.  Is this going to be instead of 
>further development of the strict policy, or in addition to it?  
>  
>
We are having talks now and are investigating how we can support both a 
strict and relaxed policy.
Nothing formal has been decided.  One of the goals is to figure out how 
we can have one policy(te) file
shared between them that will work for both.  I don't want to end up 
with and apache-strict.te and an
apache-relaxed.te.  But this is probably a matter of tunables within the 
policy file.

One of the things we are considering is limiting the number of daemons 
we will lock down.    We have picked out
an arbitrary number of 5 for now and are trying to figure out which are 
the 5 daemons we would like to put in relaxed policy.

My ideas are

apache
bind
sendmail
ftp
ssh???  (Not sure this one is worth securing).

I would like to have other comments on what which daemons should be in 
the first version of Relaxed policy.  We hope to have something out this 
week.

Dan

>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>  
>



More information about the fedora-selinux-list mailing list