[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SELinux Policy/Flask Classes from scratch



On Fri, 2007-01-26 at 15:34 -0500, bx wrote:
> On 1/26/07, Stephen Smalley <sds tycho nsa gov> wrote: 
>                 I'd suggest leveraging the reference policy instead as
>                 a baseline, then 
>                 customize it as desired.
>                 http://oss.tresys.com/projects/refpolicy
>                 
>         I took a look at the reference policy and I am not sure how it
>         can help me.  I am not  trying to use SELinux to constrain
>         programs and daemons to sandboxes, instead I would like to use
>         it to create restricted system administrator accounts.
>         Although in the future, I may want to end up hardening apache,
>         etc, however at this point, that is not my focus.  My approach
>         would be similar to the targeted policy, in which there is an
>         "unconfined" base domain in which most things roam.  I
>         understand that in theory the reference policy would be a good
>         approach due to its modular approach, however I do not know
>         where to start to get myself my base unconfined layer I want.
>         I am open to suggestions.

All policies are built from the reference policy these days, including
the Fedora -targeted policy (and the -strict policy and the -mls
policy).  They are just different configurations of it.  -strict policy
has a notion of user roles already, whereas -targeted does not (at
present).

-- 
Stephen Smalley
National Security Agency


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]