senlinux configuration, are you sure it's the right way?

Farkas Levente lfarkas at bppiac.hu
Thu Mar 31 16:32:39 UTC 2005


Stephen Smalley wrote:
> On Thu, 2005-03-31 at 17:59 +0200, Farkas Levente wrote:
> 
>>my question why 
>>selinux include the default policies? why selinux-policy-* contains the 
>>right acces rights for all included deamons, programs? wouldn't it be 
>>much better to all package include it's own policy and in the rpm 
>>postinstall session reload/add/modify the new policies.
> 
> 
> That idea has been considered in the past, but it has some issues, e.g.
> - The current policy doesn't provide a real module abstraction, and
> lacks a strong dependency model and a way to easily handle variations in
> the base policy when inserting a new policy "module".  That is being
> addressed by recent work by Tresys Technology to create a real module
> abstraction for policy; that work should be upstreamed in the near
> future.
> - While some aspects of the policy are highly localized (e.g. least
> privilege requirements on a particular application), other aspects
> require a global view of the policy (e.g. information flow constraints
> to ensure confidentiality and integrity guarantees).  Hence, it is
> difficult to truly modularize policy in the same manner as packages.

the security administrator who create the xxx-policy packages should 
have to this "global view", but he can still create different packages 
for different application's policy. and as i said there can be one 
(some) global policy packages too.

> - Policy is intended to organize the system into security equivalence
> classes, i.e. not every package should have its own policy, and multiple
> packages should share the same policy.  Hence, you need a layer of
> indirection between the policies and the packages.

more package can depend on on policy as more package can depend on one lib.

> - Policy should be defined by the security administrator, not by the
> application writer.  The application writer can help by providing
> information about what resources an application needs in order to
> function, but ultimately the decision about how to allow the application
> to interact with the base system should be made by the security admin,
> sometimes even denying access to the application that may reduce its
> available functionality or force it to alternative code paths.

ok. but the current situation is the same there is one security 
administrator (called Dan:) who define the policy, and probably he can 
do the apache-policy package (and the local hacker admins can modify 
it). i don't assume apache developer should have to do this.

-- 
   Levente                               "Si vis pacem para bellum!"




More information about the fedora-selinux-list mailing list