> >>There has been some work done on a "relaxed" policy. The intention of > >>this policy is to simply protect system daemons, and not user logins. > >>Right now there is just a policy for apache (which doesn't really work > >>due to a kernel bug). Everything else runs in an "unconfined_t" domain, > >>which essentially has every SELinux permission, and thus you are back to > >>relying on DAC. > > One of the things we are considering is limiting the number of daemons > we will lock down. We have picked out > an arbitrary number of 5 for now and are trying to figure out which are > the 5 daemons we would like to put in relaxed policy. > > My ideas are > > apache > bind > sendmail > ftp > ssh??? (Not sure this one is worth securing). I am apparently not expressing myself well. My point is that if we are relaxing policy to the point where you are relying on DAC, what is the point? I want to test strict policy on those things where it most makes a difference. In that vein, sendmail and bind are two which have historically had a lot of problems. I would think those would be candidates for stricter policy, not more permissive.
