Re: Location of executable code

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On Tue, May 26, 2020 at 10:43 PM Przemek Klosowski via devel <devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
On 5/23/20 12:18 AM, Nico Kadel-Garcia wrote:
>   Would the time be better spent enhancing SELinux?

That----SELinux already labels everything in /bin and /usr/libexec as

system_u:object_r:bin_t:s0

so maybe it could be leveraged to cover everything you are considering?
Is there something fundamental missing in SELinux that forces a separate
implementation?

The #2 FAQ in the project's README[1] provides guidance in this regard:
  1. Can SELinux or AppArmor do this instead?

SE Linux is modelling how an application behaves. It is not concerned about where the application came from or whether its known to the system. Basically, anything in /bin gets bin_t type by default which is not a very restrictive label. MAC systems serve a different purpose. Fapolicyd by design cares solely about if this is a known application/library. These are complimentary security subsystems. There is more information about application whitelisting use cases at the following NIST website:

https://www.nist.gov/publications/guide-application-whitelisting

[1]: https://github.com/linux-application-whitelisting/fapolicyd/blob/master/README.md#faq


_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux