On Tue, May 26, 2020 at 10:43 PM Przemek Klosowski via devel <devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
On 5/23/20 12:18 AM, Nico Kadel-Garcia wrote:
> Would the time be better spent enhancing SELinux?
That----SELinux already labels everything in /bin and /usr/libexec as
system_u:object_r:bin_t:s0
so maybe it could be leveraged to cover everything you are considering?
Is there something fundamental missing in SELinux that forces a separate
implementation?
The #2 FAQ in the project's README[1] provides guidance in this regard:
- Can SELinux or AppArmor do this instead?
SE Linux is modelling how an application behaves. It is not concerned about where the application came from or whether its known to the system. Basically, anything in /bin gets bin_t type by default which is not a very restrictive label. MAC systems serve a different purpose. Fapolicyd by design cares solely about if this is a known application/library. These are complimentary security subsystems. There is more information about application whitelisting use cases at the following NIST website:
https://www.nist.gov/publications/guide-application-whitelisting
[1]: https://github.com/linux-application-whitelisting/fapolicyd/blob/master/README.md#faq
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
