Binary policy modules
Mike Hearn
mike at plan99.net
Wed Oct 12 18:46:29 UTC 2005
On Wed, 12 Oct 2005 14:24:25 -0400, Stephen Smalley wrote:
> No, that should be possible. What I meant was the ability to confine the
> rules that can exist in a given policy module installed from a given
> package, e.g. so that a policy module shipped in the foo package can't
> open up read access to /etc/shadow. That requires the policy server, see
> http://sepolicy-server.sourceforge.net/index.php
Wow, meta-policy? That sounds useful but mind-expanding :)
Anyway, good to know! I look forward to getting my hands on FC5 when it
comes out. It'll be interesting to see how far we can restrict installers
before we start breaking them.
thanks -mike
More information about the fedora-selinux-list
mailing list