Re: experimental relaxed policy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2004-05-03 at 16:16, Thomas Molina wrote:
> > >>There has been some work done on a "relaxed" policy.  The intention of
> > >>this policy is to simply protect system daemons, and not user logins. 
> > >>Right now there is just a policy for apache (which doesn't really work
> > >>due to a kernel bug).  Everything else runs in an "unconfined_t" domain,
> > >>which essentially has every SELinux permission, and thus you are back to
> > >>relying on DAC.
> > 
> > One of the things we are considering is limiting the number of daemons 
> > we will lock down.    We have picked out
> > an arbitrary number of 5 for now and are trying to figure out which are 
> > the 5 daemons we would like to put in relaxed policy.
> > 
> > My ideas are
> > 
> > apache
> > bind
> > sendmail
> > ftp
> > ssh???  (Not sure this one is worth securing).
> 
> I am apparently not expressing myself well.  My point is that if we are 
> relaxing policy to the point where you are relying on DAC, what is the 
> point?  I want to test strict policy on those things where it most makes a 
> difference.  In that vein, sendmail and bind are two which have 
> historically had a lot of problems.  I would think those would be 
> candidates for stricter policy, not more permissive.

I think you are in violent agreement in some ways. Selinux people are
looking to write policies that lock down a small set of daemons
(sendmail/bind/apache/ftp/portmap) but have user space and other items
to end up with a permissive policy until wrinkles can be ironed out.


-- 
Stephen John Smoogen		smoogen@xxxxxxxx
Los Alamos National Lab  CCN-5 Sched 5/40  PH: 4-0645
Ta-03 SM-1498 MailStop B255 DP 10S  Los Alamos, NM 87545
-- You should consider any operational computer to be a security problem --


[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux