From: Sven Vermeulen <sven.vermeulen@siphos.be>
To: gentoo-hardened@lists.gentoo.org
Subject: Re: [gentoo-hardened] SELinux policy rules principles?
Date: Wed, 19 Jan 2011 20:54:56 +0100 [thread overview]
Message-ID: <20110119195455.GB7787@siphos.be> (raw)
In-Reply-To: <4D33455B.8050708@users.sourceforge.net>
On Sun, Jan 16, 2011 at 08:22:03PM +0100, David Sommerseth wrote:
> Why not have a look at what Fedora and RHEL/CentOS does in that regards?
> They've probably already been through a lot of these decisions as well, and
> were probably also one of the earlier adopters.
Well, most of these distributions offer a targeted SELinux policy approach
(they confine specific services/daemons, but most user activity is ran in
unconfined domains) instead of a strict SELinux policy approach (no
unconfined domains). Although they still have the same problem, it's scope
is not as large as within a strict approach.
The distributions I look at (fedora mainly) doesn't really seem to use
one or the other. I also can't find any resource that sais to developers
how they should focus their policies. From a quick chat on #selinux I seem
to deduce that It Depends (tm). Mostly on the developer in charge.
What I do notice is that, if a module has an allow statement which is
cosmetic (not needed) it doesn't ever get removed because there's noone
"trying" to remove statements to see if they are really cosmetic (that's a
nice conundrum - how do I then know that a rule is cosmetic ;-)
Wkr,
Sven Vermeulen
prev parent reply other threads:[~2011-01-19 19:56 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-01-16 15:09 [gentoo-hardened] SELinux policy rules principles? Sven Vermeulen
2011-01-16 17:06 ` Chris Richards
2011-01-19 19:39 ` Sven Vermeulen
2011-01-19 20:05 ` Chris Richards
2011-01-19 20:25 ` Sven Vermeulen
2011-01-19 20:34 ` Chris Richards
2011-01-21 21:55 ` Sven Vermeulen
2011-01-21 22:12 ` klondike
2011-01-21 22:43 ` Chris Richards
[not found] ` <4D33455B.8050708@users.sourceforge.net>
2011-01-19 19:54 ` Sven Vermeulen [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110119195455.GB7787@siphos.be \
--to=sven.vermeulen@siphos.be \
--cc=gentoo-hardened@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox