From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Pfe94-0001z9-Fc for garchives@archives.gentoo.org; Wed, 19 Jan 2011 19:56:42 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 08292E09E1; Wed, 19 Jan 2011 19:55:18 +0000 (UTC) Received: from mail-gy0-f181.google.com (mail-gy0-f181.google.com [209.85.160.181]) by pigeon.gentoo.org (Postfix) with ESMTP id CCF49E09E1 for ; Wed, 19 Jan 2011 19:55:18 +0000 (UTC) Received: by gyh3 with SMTP id 3so762952gyh.40 for ; Wed, 19 Jan 2011 11:55:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:sender:date:from:to:subject:message-id :references:mime-version:content-type:content-disposition :in-reply-to:user-agent; bh=N18O74/X94WyUKyO/kVRE00L2Hr03n6g8D4TLrlcGeQ=; b=s0FLNp7lZZMOgPRR2gQjYSvhTfSNhisY1+srXSzyE2dU0/MCi/r3LqFKALKfSF3vxm n3C4CKTEqMKeZob5VUpAzGMG48/Y6f0x04zWn2I2oFPBXW8+UUMJdOBqBfUMnV9oDxan UMlF6P1AJdKfFD1aE6N/OMZy0/i0wkmYjzY5U= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:to:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; b=r2WSe1Pv2zX9QDIQbw6ix2QTpiKGxCb0vAtnxBHxLf+d+66+l+0ZwLZWxo7TA5Z6Xa D/EPh1d2xLV+UETxwjZpESr75HJKI37mMDpGbzeRaAttS7AYFnOH4y5iwajwUIqldCyb plb0buxG9icYCm7H7oDlht3i9QnEh/q2dAI20= Received: by 10.216.72.201 with SMTP id t51mr2999809wed.6.1295466915164; Wed, 19 Jan 2011 11:55:15 -0800 (PST) Received: from siphos.be ([83.101.67.57]) by mx.google.com with ESMTPS id p4sm3835023wer.5.2011.01.19.11.55.01 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 19 Jan 2011 11:55:02 -0800 (PST) Sender: Sven Vermeulen Date: Wed, 19 Jan 2011 20:54:56 +0100 From: Sven Vermeulen To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] SELinux policy rules principles? Message-ID: <20110119195455.GB7787@siphos.be> References: <20110116150950.GA17577@siphos.be> <4D33455B.8050708@users.sourceforge.net> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <4D33455B.8050708@users.sourceforge.net> User-Agent: Mutt/1.5.21 (2010-09-15) X-Archives-Salt: X-Archives-Hash: 3769f9d97c64bf4e841d1f10d78e66a6 On Sun, Jan 16, 2011 at 08:22:03PM +0100, David Sommerseth wrote: > Why not have a look at what Fedora and RHEL/CentOS does in that regards? > They've probably already been through a lot of these decisions as well, and > were probably also one of the earlier adopters. Well, most of these distributions offer a targeted SELinux policy approach (they confine specific services/daemons, but most user activity is ran in unconfined domains) instead of a strict SELinux policy approach (no unconfined domains). Although they still have the same problem, it's scope is not as large as within a strict approach. The distributions I look at (fedora mainly) doesn't really seem to use one or the other. I also can't find any resource that sais to developers how they should focus their policies. From a quick chat on #selinux I seem to deduce that It Depends (tm). Mostly on the developer in charge. What I do notice is that, if a module has an allow statement which is cosmetic (not needed) it doesn't ever get removed because there's noone "trying" to remove statements to see if they are really cosmetic (that's a nice conundrum - how do I then know that a rule is cosmetic ;-) Wkr, Sven Vermeulen