LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Inside SELinux on Fedora Core 3

Inside SELinux on Fedora Core 3

Posted Oct 8, 2004 14:02 UTC (Fri) by erich (subscriber, #7127)
In reply to: Inside SELinux on Fedora Core 3 by iabervon
Parent article: Inside SELinux on Fedora Core 3

But it is an issue of trust. If the policy file is included in a normal package, upgrading this package could in fact disable or break your whole selinux policy. You don't really want that.
Currently, Policy changes are made using at least four eyes. (i.e. the redhad guys send them to the mailing list, and a NSA guy reviews them, comments on them, tests them and then commits them to CVS on sourceforge)
I think this makes a very good policy, and avoids ugly workarounds etc.
I bet many application writers will be so proud of their software to give it a lot more rights than needed. Also while debugging you will want to have additional rights that do not need to be included in the normal policy.

Many policy files already contain debian package information.
I.e. it is possible to write a helper program which will install just the policy files for the installed debian packages. Right now this is not included in the selinux-default-policy package (which is a strict policy, btw), instead you will be asked for each file if you want to install it.

(Log in to post comments)

Inside SELinux on Fedora Core 3

Posted Oct 8, 2004 15:21 UTC (Fri) by iabervon (subscriber, #722) [Link]

I wasn't thinking that the project's suggestion should be installed automatically. But the project is essentially authoritative as to what the program is going to try to do when functioning as intended, so it would be helpful to look at when deciding what to set as the policy.

Inside SELinux on Fedora Core 3

Posted Oct 10, 2004 13:44 UTC (Sun) by erich (subscriber, #7127) [Link]

Granted. Once SELinux is widely enough adopted this might become an option.
Still its also about looking applications over the shoulder and limiting them to what they should do, not what they want to do.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds