From: Sven Vermeulen <sven.vermeulen@siphos.be>
To: gentoo-hardened@lists.gentoo.org
Subject: [gentoo-hardened] SELinux policy rules principles?
Date: Sun, 16 Jan 2011 16:09:50 +0100 [thread overview]
Message-ID: <20110116150950.GA17577@siphos.be> (raw)
Hi all,
When writing security policies, it is important to first have a vision on
how the security policies should be made. Of course, final vision should be
with a systems' security administrator, but a distribution should give a
first start for this.
For the time being, Gentoo Hardened's policies are based upon the reference
policy's implementation, but I can imagine that this will evolve further.
The moment however we start adding policies ourselves (outside simple
patching of the reference policy's implementation) we need to have some
rules on what or how our rules should be made.
One first principle that we might need to discuss about is what we want to
allow in our policy. Do we want to allow all normal behavior (i.e. you use
an application or server the way it is meant to and we make sure no denials
are generated for this) but shield off abnormal behavior as much as possible
(by rightly aligning domains and types)? Or do we want to allow just enough
so that the applications function properly during regular operations,
causing various denials to be in place still?
And if we would opt for the latter, do we want to dontaudit those denials to
keep the logging clean, or do we then expect the administrator to manage his
own dontaudits?
Wkr,
Sven Vermeulen
next reply other threads:[~2011-01-16 16:02 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-01-16 15:09 Sven Vermeulen [this message]
2011-01-16 17:06 ` [gentoo-hardened] SELinux policy rules principles? Chris Richards
2011-01-19 19:39 ` Sven Vermeulen
2011-01-19 20:05 ` Chris Richards
2011-01-19 20:25 ` Sven Vermeulen
2011-01-19 20:34 ` Chris Richards
2011-01-21 21:55 ` Sven Vermeulen
2011-01-21 22:12 ` klondike
2011-01-21 22:43 ` Chris Richards
[not found] ` <4D33455B.8050708@users.sourceforge.net>
2011-01-19 19:54 ` Sven Vermeulen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110116150950.GA17577@siphos.be \
--to=sven.vermeulen@siphos.be \
--cc=gentoo-hardened@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox