Binary policy modules
Mike Hearn
mike at plan99.net
Wed Oct 12 18:14:52 UTC 2005
On Wed, 12 Oct 2005 12:15:42 -0400, Stephen Smalley wrote:
> The module support is already in rawhide (as part of the existing SELinux
> packages plus the introduction of libsemanage) but getting it properly
> integrated and used there is still work in progress (but still expected
> for FC5, I believe, barring any unexpected obstacles). Documentation is
> woefully lacking presently, but there is a README.MODULES in selinux-doc
> and some information over at
> http://sepolicy-server.sourceforge.net/index.php?page=module-language
The module language looks nice. I especially like the optionals feature,
if only ELF had that :)
> However, by itself, the module support doesn't solve the problem of
> confining packages/package managers. It just allows policy modules to be
> built and shipped separately from the base distro policy, with proper
> dependency checking when they are installed. For access control over the
> policy itself, you further need the policy server, which is also work in
> progress but I don't think targeted for FC5.
Hmm, I don't quite understand - my intention was to ship a binary policy
module installed when the package manager is first installed, which then
defines a new domain almost_but_not_quite_root (with a better name of
course ;). Packages/installers would then be run in this domain instead of
being unconfined.
Why does this need access control on the policy itself? Or do you mean,
that in FC5 it won't actually be possible to install third party
policy modules?
thanks -mike
More information about the fedora-selinux-list
mailing list