[ANN] SELinux Policy Editor 2.0(seedit 2.0)

Yuichi Nakamura ynakam at gwu.edu
Tue Jul 11 04:32:34 UTC 2006


On Mon, 10 Jul 2006 17:03:29 -0400
Stephen Smalley  wrote:
> What are your plans for modular policy support?  In the absence of it,
> using your tool/policy on FC5 will disable the ability to use policy
> modules and semanage on FC5, which would be a regression for users and
> may break some packages that are beginning to leverage the semodule and
> semanage functionality.
I have two plans.

1) Full Simplified Policy, no modular policy
This is current version. 
Whole policy is replaced by simplified policy, generated policy is
monolithic.
What I want do is AppArmor-like configuration(security enhanced AppArmor??).
I think I do not need modular policy for that use.
semanage, semodule commands,APIs are not used in current version.

2) Appendable simplified policy, modular policy support
It exists only in my head..
Simplified policy for one domain is converted into .pp  file,
and loadable to existing policy.
It will take time, because I have been spending time for 1).

> Be aware that the old network controls are being superseded by the new
> secmark functionalty, so you will need to rework your tool to generate
> the new allow...:packet { send recv} rules and to generate iptables
> rules for marking the packets appropriately for 2.6.18 and later, unless
> you enable compatibility mode for the old checks.
Thanks for information.
I will support both.

Yuichi Nakamura




More information about the fedora-selinux-list mailing list