Targeted strategy guidance needed

Daniel J Walsh dwalsh at redhat.com
Thu Mar 30 20:31:40 UTC 2006 

Gary Kopp wrote:
> Would someone on this list be able to take a moment to give me a sanity
> check and tell me if I'm on the right track? I'm configuring a RHEL4 server
> to be an Internet-facing web/mail server. It will run httpd, postfix, and
> courier-imap. Most application logic (including any requirement for SQL
> access) will live on other servers that I'm not concerned about in the
> context of SELinux, but this web server will probably have to run one PHP
> application (Blog:CMS). I desire this web server to be as secure as
> possible. 
>
> I have not yet mastered the intricacies of SELinux (but I'm working on
> that), and I thought that by using Red Hat's targeted SELinux policy I'd
> have a head start. I also thought this would leverage my investment in the
> Red Hat Enterprise Linux support contract, being able to turn to Red Hat
> support for help. I have since found out that my support agreement (SLA)
> does not cover any SELinux issues arising from a modified targeted policy.
>
> And right out of the chute I see that I can't live with the targeted policy
> as delivered, and need to tweak it. For example, this server uses syslog-ng,
> and the targeted policy is already complaining. Red Hat's SELinux Guide
> offers instructions on how to add rules to local.te to get around minor
> issues like this, and I'm willing to do that, but then I'll have no support
> from Red Hat directly. I also anticipate that my httpd config may require
> some policy tweaks (e.g., I'm thinking of putting Apache logs in a
> non-standard location).
>
> Next, the delivered targeted policy doesn't constrain postfix (it seems to
> reference postfix, but then aliases it to unconfined). Again, the Guide
> suggests I could write new policy specifically for something like postfix,
> in essence extending the targeted policy. Interestingly, I see that the
> gentoo project has a whole bunch of SELinux policies available, including
> one for postfix. A side question I have is: does it make sense to adapt/use
> the policies available in the gentoo project to extend the targeted policy
> for new processes, or is that a bad idea?
>
> I'm assuming that the RHEL targeted policy and the FC policy, the subject of
> this mailing list, are one and the same, and therefore I'm not out of line
> coming to this list.  Am I correct?  As a RHEL user rather than a FC user
> can I still use this list as a resource?
>
> OK, here's my fundamental question: Given what I'm trying to achieve, is my
> proper approach to start tweaking and extending the delivered targeted
> policy? Is that commonly done, or should I be looking at some other strategy
> to meet my needs?
>
> I'll be grateful for any advice anyone would like to offer. TIA
>
>   
Yes you can do that and we will help you.  In order to satisfy your 
support contract, I believe you
would need to recreate a problem with the standard selinux policy.

Dan
> --Gary Kopp
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>

More information about the fedora-selinux-list mailing list