On Thu, 2005-03-31 at 17:59 +0200, Farkas Levente wrote: > my question why > selinux include the default policies? why selinux-policy-* contains the > right acces rights for all included deamons, programs? wouldn't it be > much better to all package include it's own policy and in the rpm > postinstall session reload/add/modify the new policies. That idea has been considered in the past, but it has some issues, e.g. - The current policy doesn't provide a real module abstraction, and lacks a strong dependency model and a way to easily handle variations in the base policy when inserting a new policy "module". That is being addressed by recent work by Tresys Technology to create a real module abstraction for policy; that work should be upstreamed in the near future. - While some aspects of the policy are highly localized (e.g. least privilege requirements on a particular application), other aspects require a global view of the policy (e.g. information flow constraints to ensure confidentiality and integrity guarantees). Hence, it is difficult to truly modularize policy in the same manner as packages. - Policy is intended to organize the system into security equivalence classes, i.e. not every package should have its own policy, and multiple packages should share the same policy. Hence, you need a layer of indirection between the policies and the packages. - Policy should be defined by the security administrator, not by the application writer. The application writer can help by providing information about what resources an application needs in order to function, but ultimately the decision about how to allow the application to interact with the base system should be made by the security admin, sometimes even denying access to the application that may reduce its available functionality or force it to alternative code paths. -- Stephen Smalley <sds@xxxxxxxxxxxxx> National Security Agency
