[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Is there a SELinux tutorial for ISVs ?

Mike Hearn wrote:

I don't think there is any such document. Right now you can't distribute
policy anyway:

- The binary policy modules framework isn't fully deployed yet, or at
  least that's the impression I got last time I talked to the author

Maybe I'm so badly in need of a tutorial as to be unable to express my question, see below.

- There are no formal policy compatibility ... er ... policies, between
  distributions as far as I'm aware. So the meaning of a given bit of
  policy might change depending on the distributions specific

That's part of what I would be looking for. How would I find out about the policies in effect ?

What exactly are your goals? Do you want to lock down your own program or
is this more about compatibility?

The initial goal is compatibility: ship a possibly distribution-specific package which works regardless of whether the customer uses no selinux, the targeted policy or the strict policy. Making it policy-specific would be ugly, as I would get a combinatorial explosion of .rpm packages to ship.

I realize that it might not be possible to do that just at the packaging
level, i.e. that changes might be necessary upstream, but I am currently
unable to tell which changes are appropriate for the packaging stage and
which would impact the code.

Once that goal is achieved, being able to lock down the software would
be the next step; I guess that a less than cursory knowledge of SELinux
would be necessary to do that, however.

I'm pretty interested in letting Linux software developers ship policy as
part of their own binary packages to allow for better lockdown/least priv
on systems that support it but I don't think the technology is there yet.

Well, maybe the technology is not there but it hurts already: we currently have code which does not work because of selinux. It is old code which we are more interested in phasing out than supporting, but we would like not to get bitten in the future.

Thank you for your consideration,
Davide Bolcioni

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]