Denied { search } mingetty and can't log in
Daniel J Walsh
dwalsh at redhat.com
Wed Feb 1 13:09:15 UTC 2006
Ivan Gyurdiev wrote:
>
>>
>> Just to inform you that these AVCs have been corrected in selinux-
>> policy-targeted 2.2.9-1. But new hid2hci denied read and write AVCs have
>> appeared. The never-ending game ;-)
>>
> There is no way for this game to end... Not until software developers
> take over the task of writing policy themselves.
>
Hopefully after we release FC5 the number of AVC will decrease steadily
as they did in FC3/FC4. The problem now is the volume of change in
rawhide and the number of people testing it have not revealed all of the
problems. Keep submitting the AVC's, or even better patches and we will
keep updating policy.
> I know Dan disagrees with me on this, but I think that this is the
> only way for selinux to be really accepted into the mainstream.t
I don't disagree with you, I would love to have the applications
developers to take over the maintenance of policy for their
applications. The problem is the developers have different goals then
people concerned with security. They want their applications to run,
and might take short cuts with security policy. So if they come up
against an execmem failure or the inability to read /etc/shadow. Would
they redesign the application or just write policy to allow them to do
the task they want to do.
> First, however, more infrastructure is needed to make this possible.
> Modular policy is a step in the right direction. I see that the
> current strict policy is now modular, and that's good news...
Loadable Modules is the first step. Now we need tools to allow them to
write the policy more easily. The current audit2allow allows them to
build a policy module out of AVC messages, a step forward would be to
add some kind of pattern matching to the tool to figure out what file
contexts it might need. IE the domain wants to write to var_run, so it
probably needs to use the pid functions in reference policy. I know
Mitre/Tresys are looking into tools to make this easier.
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list