[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: experimental relaxed policy

From: Thomas Molina <tmolina cablespeed com>
To: "Fedora SELinux support list for users & developers." <fedora-selinux-list redhat com>
Subject: Re: experimental relaxed policy
Date: Mon, 3 May 2004 18:16:57 -0400 (EDT)

> >>There has been some work done on a "relaxed" policy.  The intention of
> >>this policy is to simply protect system daemons, and not user logins. 
> >>Right now there is just a policy for apache (which doesn't really work
> >>due to a kernel bug).  Everything else runs in an "unconfined_t" domain,
> >>which essentially has every SELinux permission, and thus you are back to
> >>relying on DAC.
> 
> One of the things we are considering is limiting the number of daemons 
> we will lock down.    We have picked out
> an arbitrary number of 5 for now and are trying to figure out which are 
> the 5 daemons we would like to put in relaxed policy.
> 
> My ideas are
> 
> apache
> bind
> sendmail
> ftp
> ssh???  (Not sure this one is worth securing).

I am apparently not expressing myself well.  My point is that if we are 
relaxing policy to the point where you are relying on DAC, what is the 
point?  I want to test strict policy on those things where it most makes a 
difference.  In that vein, sendmail and bind are two which have 
historically had a lot of problems.  I would think those would be 
candidates for stricter policy, not more permissive.

Follow-Ups:
- Re: experimental relaxed policy
  - From: Stephen Smoogen
- Re: experimental relaxed policy
  - From: Valdis . Kletnieks
- Re: experimental relaxed policy
  - From: James Morris

References:
- experimental relaxed policy
  - From: Colin Walters
- Re: experimental relaxed policy
  - From: Thomas Molina
- Re: experimental relaxed policy
  - From: Daniel J Walsh

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]