[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: experimental relaxed policy



I've been following all the discussion on simplifying SELinux for the next release of Fedora.  It would seem that the first things to strictly secure would be external attacks.  With this, an easy to understand policy how to for non-selinux  people with an end user focus would go a long way to helping people get started.  Just my two cents worth.

Phil Parsons
philpar swfla rr com
239-340-9880


James Morris wrote:
On Mon, 3 May 2004, Thomas Molina wrote:

  
an arbitrary number of 5 for now and are trying to figure out which are 
the 5 daemons we would like to put in relaxed policy.

My ideas are

apache
bind
sendmail
ftp
ssh???  (Not sure this one is worth securing).
      
I am apparently not expressing myself well.  My point is that if we are 
relaxing policy to the point where you are relying on DAC, what is the 
point?  I want to test strict policy on those things where it most makes a 
difference.  In that vein, sendmail and bind are two which have 
historically had a lot of problems.  I would think those would be 
candidates for stricter policy, not more permissive.
    

There is a bit of confusion here, totally understandable.

The daemons referred to above are candidates for being strictly
controlled.

The term 'relaxed policy' here refers to the concept of providing very
strict policies for a small, critical subset of the system, then allowing
the rest of the system to be unconfined.  It's relaxed in terms of not
trying to provide strict policies for every domain.


- James
  

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]