Is there a SELinux tutorial for ISVs ?

Davide Bolcioni db-fedora at 3di.it
Thu Apr 28 08:20:55 UTC 2005 

Mike Hearn wrote:

> I don't think there is any such document. Right now you can't distribute
> policy anyway:
> 
> - The binary policy modules framework isn't fully deployed yet, or at
>   least that's the impression I got last time I talked to the author

Maybe I'm so badly in need of a tutorial as to be unable to express my
question, see below.

> - There are no formal policy compatibility ... er ... policies, between
>   distributions as far as I'm aware. So the meaning of a given bit of
>   policy might change depending on the distributions specific
>   implementation.

That's part of what I would be looking for. How would I find out about the
policies in effect ?

> What exactly are your goals? Do you want to lock down your own program or
> is this more about compatibility? 

The initial goal is compatibility: ship a possibly distribution-specific
package which works regardless of whether the customer uses no selinux,
the targeted policy or the strict policy. Making it policy-specific
would be ugly, as I would get a combinatorial explosion of .rpm packages
to ship.

I realize that it might not be possible to do that just at the packaging
level, i.e. that changes might be necessary upstream, but I am currently
unable to tell which changes are appropriate for the packaging stage and
which would impact the code.

Once that goal is achieved, being able to lock down the software would
be the next step; I guess that a less than cursory knowledge of SELinux
would be necessary to do that, however.

> I'm pretty interested in letting Linux software developers ship policy as
> part of their own binary packages to allow for better lockdown/least priv
> on systems that support it but I don't think the technology is there yet.

Well, maybe the technology is not there but it hurts already: we
currently have code which does not work because of selinux. It is old
code which we are more interested in phasing out than supporting, but we
would like not to get bitten in the future.

Thank you for your consideration,
Davide Bolcioni

More information about the fedora-selinux-list mailing list