experimental relaxed policy
James Morris
jmorris at redhat.com
Tue May 4 05:13:45 UTC 2004
On Mon, 3 May 2004, Thomas Molina wrote:
> > an arbitrary number of 5 for now and are trying to figure out which are
> > the 5 daemons we would like to put in relaxed policy.
> >
> > My ideas are
> >
> > apache
> > bind
> > sendmail
> > ftp
> > ssh??? (Not sure this one is worth securing).
>
> I am apparently not expressing myself well. My point is that if we are
> relaxing policy to the point where you are relying on DAC, what is the
> point? I want to test strict policy on those things where it most makes a
> difference. In that vein, sendmail and bind are two which have
> historically had a lot of problems. I would think those would be
> candidates for stricter policy, not more permissive.
There is a bit of confusion here, totally understandable.
The daemons referred to above are candidates for being strictly
controlled.
The term 'relaxed policy' here refers to the concept of providing very
strict policies for a small, critical subset of the system, then allowing
the rest of the system to be unconfined. It's relaxed in terms of not
trying to provide strict policies for every domain.
- James
--
James Morris
<jmorris at redhat.com>
More information about the fedora-selinux-list
mailing list