Inside SELinux on Fedora Core 3
Posted Oct 8, 2004 14:02 UTC (Fri) by erich
In reply to: Inside SELinux on Fedora Core 3
Parent article: Inside SELinux on Fedora Core 3
But it is an issue of trust. If the policy file is included in a normal package, upgrading this package could in fact disable or break your whole selinux policy. You don't really want that.
Currently, Policy changes are made using at least four eyes. (i.e. the redhad guys send them to the mailing list, and a NSA guy reviews them, comments on them, tests them and then commits them to CVS on sourceforge)
I think this makes a very good policy, and avoids ugly workarounds etc.
I bet many application writers will be so proud of their software to give it a lot more rights than needed. Also while debugging you will want to have additional rights that do not need to be included in the normal policy.
Many policy files already contain debian package information.
I.e. it is possible to write a helper program which will install just the policy files for the installed debian packages. Right now this is not included in the selinux-default-policy package (which is a strict policy, btw), instead you will be asked for each file if you want to install it.
to post comments)