New Policy Doesn't Fix It
Stephen Smalley
sds at tycho.nsa.gov
Fri Jun 17 12:03:46 UTC 2005
On Fri, 2005-06-17 at 07:52 -0400, Colin Walters wrote:
> For the targeted policy I think we need do need to allow it for
> file_type. The original security goal of the targeted policy was that
> only a few specific services were confined. We expect Fedora server
> administrators to understand SELinux and read documentation about how to
> secure their services using it. We cannot expect the same of all of the
> many other kinds of people using Fedora; in this particular case, it
> looks to me like Daniel is a free software enthusiast tracking the
> latest upstream releases of OpenOffice.org. Until we can have some
> reasonable expectation of ISV software installers labelling data
> correctly, I don't think we can use execmod/execmem for unconfined_t at
> all.
Hmm...well, if so, please limit to the targeted/domains/unconfined.te
file and don't alter the unconfined_domain() macro. Looks like you are
already allowing execmod to a variety of types in the targeted
unconfined.te, but not to all file types.
Given the permissive nature of targeted policy (e.g. boolean defaults
for apache and execmem/execmod are permissive), I think the release
notes or SELinux FAQ should in the future give instructions on how to
tighten up the settings for admins who want to do so. Otherwise, they
aren't likely to even think about it.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list