[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: Core 2 SELinux installation

From: Richard Hally <rhally mindspring com>
To: "Fedora SELinux support list for users & developers." <fedora-selinux-list redhat com>
Subject: Re: Core 2 SELinux installation
Date: Sun, 02 May 2004 18:14:34 -0400

Stephen Smalley wrote:

On Fri, 2004-04-30 at 05:40, Pete Chown wrote:

I think this is especially true for a new security technology.  Most
people's view of security is quite simplistic: they want the bad guys
kept out, without their work being interfered with.  If SELinux
interferes with their work, they will turn it off, reasoning that normal
Unix security has kept the bad guys out so far.  They are then unlikely
to try it again later however much people tell them that the policy has
been improved.

So how would people feel about a separate relaxed policy that allows
everything in the system to run completely unconfined except for a small
set of specific services, e.g. apache, bind, postfix, ...
That would ensure that SELinux wouldn't get in the way of users, while
providing some protection benefit for network-facing services.

Another separate example policy would be very good. Additional different example policies would 1) demonstrate the flexibility on the concept and mechanism and 2) provide usage information that would useful in designing a better 'language' or higher level of abstraction. If there is an improved 'language', implementation and usage would be facilitated. Richard Hally

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]