Binary policy modules
Stephen Smalley
sds at tycho.nsa.gov
Wed Oct 12 16:15:42 UTC 2005
On Tue, 2005-10-11 at 21:05 +0100, Mike Hearn wrote:
> Hi,
>
> Can we have an update on this please - last I heard it was targetted for
> FC5. Is this still on the cards? If so, are there any docs on how to use
> it? I'm waiting for this feature so I can integrate autopackage with
> SELinux (for instance by preventing packages loading kernel modules and
> other risky things whilst still letting them run as root).
The module support is already in rawhide (as part of the existing
SELinux packages plus the introduction of libsemanage) but getting it
properly integrated and used there is still work in progress (but still
expected for FC5, I believe, barring any unexpected obstacles).
Documentation is woefully lacking presently, but there is a
README.MODULES in selinux-doc and some information over at
http://sepolicy-server.sourceforge.net/index.php?page=module-language
However, by itself, the module support doesn't solve the problem of
confining packages/package managers. It just allows policy modules to
be built and shipped separately from the base distro policy, with proper
dependency checking when they are installed. For access control over
the policy itself, you further need the policy server, which is also
work in progress but I don't think targeted for FC5.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list