Hello, Does anyone out there have policy config files that bring a Fedora Core 2 system into compliance with Chapter 8 of Defense Security Service's (DSS) National Industrial Security Program Operating Manual (NISPOM)? The gist of my problem is that I need to get more strict access and auditing of any attempted access to system files by non-root users. I am trying to get selinux to log every failed attempt of every non-root user to r/w/x all system files. I can get it working by commenting out the following line in /etc/security/selinux/src/policy/tunable.te: #define(`read_default_t') which gives users acess to all default files The problem is, it disallows access to all users, including root. This means that once I start enforcing, I have to reboot into single user mode to make any system changes as root. I need something which leaves sysadmin alone and only sets restrictions and audits on staff and users (or just users). With the above line still commented out, I tried inserting the following lines in /etc/security/selinux/src/policy/domains/admin.te to open the system files bacck up to root again: general_file_read_access(sysadmin_t) general_file_write_access(sysadmin_t) general_domain_access(sysadmin_t) (Found in the "Configuring the SELinux Policy" doc by Smalley) However, the read and write access lines generated syntax errors when I tried to make the new policy. Anyone know what I am doing wrong? Version mismatch? Mutually exclusive parameters? Anyone actually know how to do what I am trying to do? I am new to selinux, so I am hoping that I am just missing something obvious. Also, is there any other documentation besides the pdf's on the NSA site? Thanks in Advance, David Colbert __________________________________ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. http://promotions.yahoo.com/new_mail
