No more selinux-policy-*-sources
Daniel J Walsh
dwalsh at redhat.com
Tue Mar 14 18:48:59 UTC 2006
Ralf Ertzinger wrote:
> Hi.
>
> On Tue, 14 Mar 2006 12:30:08 -0500, Stephen Smalley wrote:
>
>
>> Go read:
>> http://www.ranum.com/security/computer_security/editorials/dumb/
>>
>
> So shipping the targetted policy is a dumb idea. RH will be glad to hear that.
>
>
No targeted policy is confining the selected domains by deny all. We
look at targeted policy as a way
of protecting user space from system space. Or another way to look at
it would be putting a firewall around
the users processes and preventing the system spaces from touching
that. So one of the goals is to prevent apache
processes from touching user files. As a by product of this, we are
actually "fire walling" most applications from
each other, so apache can not touch the name server files, and the name
server can not touch the apache server.
Strict policy and targeted policy are pretty much the same in FC5 as far
as system applications are concerned. Strict policy also tries to limit
the access of applications that users run like Firefox and evolution.
There are several problems
here but we are beginning to address some of these by limiting the use
of executable memory, even in userspace. We hope to slowly bring
additional selinux components out into User space.
More information about the fedora-devel-list
mailing list