SELinux Policy/Flask Classes from scratch
Stephen Smalley
sds at tycho.nsa.gov
Fri Jan 26 20:37:28 UTC 2007
On Fri, 2007-01-26 at 15:34 -0500, bx wrote:
> On 1/26/07, Stephen Smalley <sds at tycho.nsa.gov> wrote:
> I'd suggest leveraging the reference policy instead as
> a baseline, then
> customize it as desired.
> http://oss.tresys.com/projects/refpolicy
>
> I took a look at the reference policy and I am not sure how it
> can help me. I am not trying to use SELinux to constrain
> programs and daemons to sandboxes, instead I would like to use
> it to create restricted system administrator accounts.
> Although in the future, I may want to end up hardening apache,
> etc, however at this point, that is not my focus. My approach
> would be similar to the targeted policy, in which there is an
> "unconfined" base domain in which most things roam. I
> understand that in theory the reference policy would be a good
> approach due to its modular approach, however I do not know
> where to start to get myself my base unconfined layer I want.
> I am open to suggestions.
All policies are built from the reference policy these days, including
the Fedora -targeted policy (and the -strict policy and the -mls
policy). They are just different configurations of it. -strict policy
has a notion of user roles already, whereas -targeted does not (at
present).
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list