[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Denied { search } mingetty and can't log in



Ivan Gyurdiev wrote:


Just to inform you that these AVCs have been corrected in selinux-
policy-targeted 2.2.9-1. But new hid2hci denied read and write AVCs have
appeared. The never-ending game ;-)
There is no way for this game to end... Not until software developers take over the task of writing policy themselves.

Hopefully after we release FC5 the number of AVC will decrease steadily as they did in FC3/FC4. The problem now is the volume of change in rawhide and the number of people testing it have not revealed all of the problems. Keep submitting the AVC's, or even better patches and we will keep updating policy.
I know Dan disagrees with me on this, but I think that this is the only way for selinux to be really accepted into the mainstream.t
I don't disagree with you, I would love to have the applications developers to take over the maintenance of policy for their applications. The problem is the developers have different goals then people concerned with security. They want their applications to run, and might take short cuts with security policy. So if they come up against an execmem failure or the inability to read /etc/shadow. Would they redesign the application or just write policy to allow them to do the task they want to do.
First, however, more infrastructure is needed to make this possible. Modular policy is a step in the right direction. I see that the current strict policy is now modular, and that's good news...
Loadable Modules is the first step. Now we need tools to allow them to write the policy more easily. The current audit2allow allows them to build a policy module out of AVC messages, a step forward would be to add some kind of pattern matching to the tool to figure out what file contexts it might need. IE the domain wants to write to var_run, so it probably needs to use the pid functions in reference policy. I know Mitre/Tresys are looking into tools to make this easier.


--
fedora-selinux-list mailing list
fedora-selinux-list redhat com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]