On Mon, 2004-05-03 at 16:16, Thomas Molina wrote: > > >>There has been some work done on a "relaxed" policy. The intention of > > >>this policy is to simply protect system daemons, and not user logins. > > >>Right now there is just a policy for apache (which doesn't really work > > >>due to a kernel bug). Everything else runs in an "unconfined_t" domain, > > >>which essentially has every SELinux permission, and thus you are back to > > >>relying on DAC. > > > > One of the things we are considering is limiting the number of daemons > > we will lock down. We have picked out > > an arbitrary number of 5 for now and are trying to figure out which are > > the 5 daemons we would like to put in relaxed policy. > > > > My ideas are > > > > apache > > bind > > sendmail > > ftp > > ssh??? (Not sure this one is worth securing). > > I am apparently not expressing myself well. My point is that if we are > relaxing policy to the point where you are relying on DAC, what is the > point? I want to test strict policy on those things where it most makes a > difference. In that vein, sendmail and bind are two which have > historically had a lot of problems. I would think those would be > candidates for stricter policy, not more permissive. I think you are in violent agreement in some ways. Selinux people are looking to write policies that lock down a small set of daemons (sendmail/bind/apache/ftp/portmap) but have user space and other items to end up with a permissive policy until wrinkles can be ironed out. -- Stephen John Smoogen smoogen@xxxxxxxx Los Alamos National Lab CCN-5 Sched 5/40 PH: 4-0645 Ta-03 SM-1498 MailStop B255 DP 10S Los Alamos, NM 87545 -- You should consider any operational computer to be a security problem --
