LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Inside SELinux on Fedora Core 3

Inside SELinux on Fedora Core 3

Posted Oct 7, 2004 21:25 UTC (Thu) by iabervon (subscriber, #722)
Parent article: Inside SELinux on Fedora Core 3

On the other hand, if it is this modular, projects could just include the file (or generate it at build time, to account to configuration dependance). It sounds like a nice description of what the program affects, and if it is enforced by developers' systems, it will probably stay up-to-date. It would be much easier to keep track of where apache's config files are in the local installation if the OS was specifically granting Apache permission to read them.

(Log in to post comments)

Inside SELinux on Fedora Core 3

Posted Oct 8, 2004 14:02 UTC (Fri) by erich (subscriber, #7127) [Link]

But it is an issue of trust. If the policy file is included in a normal package, upgrading this package could in fact disable or break your whole selinux policy. You don't really want that.
Currently, Policy changes are made using at least four eyes. (i.e. the redhad guys send them to the mailing list, and a NSA guy reviews them, comments on them, tests them and then commits them to CVS on sourceforge)
I think this makes a very good policy, and avoids ugly workarounds etc.
I bet many application writers will be so proud of their software to give it a lot more rights than needed. Also while debugging you will want to have additional rights that do not need to be included in the normal policy.

Many policy files already contain debian package information.
I.e. it is possible to write a helper program which will install just the policy files for the installed debian packages. Right now this is not included in the selinux-default-policy package (which is a strict policy, btw), instead you will be asked for each file if you want to install it.

Inside SELinux on Fedora Core 3

Posted Oct 8, 2004 15:21 UTC (Fri) by iabervon (subscriber, #722) [Link]

I wasn't thinking that the project's suggestion should be installed automatically. But the project is essentially authoritative as to what the program is going to try to do when functioning as intended, so it would be helpful to look at when deciding what to set as the policy.

Inside SELinux on Fedora Core 3

Posted Oct 10, 2004 13:44 UTC (Sun) by erich (subscriber, #7127) [Link]

Granted. Once SELinux is widely enough adopted this might become an option.
Still its also about looking applications over the shoulder and limiting them to what they should do, not what they want to do.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds