Is there a SELinux tutorial for ISVs ?

Davide Bolcioni dbolcioni at 3di.it
Thu Apr 28 08:14:44 UTC 2005 

Mike Hearn wrote:

> I don't think there is any such document. Right now you can't distribute
> policy anyway:
> 
> - The binary policy modules framework isn't fully deployed yet, or at
>   least that's the impression I got last time I talked to the author

Maybe I'm so badly in need of a tutorial as to be unable to express my
question, see below.

> - There are no formal policy compatibility ... er ... policies, between
>   distributions as far as I'm aware. So the meaning of a given bit of
>   policy might change depending on the distributions specific
>   implementation.

That's part of what I would be looking for. How would I find out about the
policies in effect ?

> What exactly are your goals? Do you want to lock down your own program or
> is this more about compatibility? 

The initial goal is compatibility: ship a possibly distribution-specific 
package which works regardless of whether the customer uses no selinux,
the targeted policy or the strict policy. Making it policy-specific 
would be ugly, as I would get a combinatorial explosion of .rpm packages 
to ship.

I realize that it might not be possible to do that just at the packaging 
level, i.e. that changes might be necessary upstream, but I am currently 
unable to tell which changes are appropriate for the packaging stage and 
which would impact the code.

Once that goal is achieved, being able to lock down the software would
be the next step; I guess that a less than cursory knowledge of SELinux 
would be necessary to do that, however.

> I'm pretty interested in letting Linux software developers ship policy as
> part of their own binary packages to allow for better lockdown/least priv
> on systems that support it but I don't think the technology is there yet.

Well, maybe the technology is not there but it hurts already: we 
currently have code which does not work because of selinux. It is old 
code which we are more interested in phasing out than supporting, but we 
would like not to get bitten in the future.

Thank you for your consideration,
Davide Bolcioni
-- 
There is no place like /home.

More information about the fedora-selinux-list mailing list