On Fri, 2007-01-26 at 15:34 -0500, bx wrote: > On 1/26/07, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > I'd suggest leveraging the reference policy instead as > a baseline, then > customize it as desired. > http://oss.tresys.com/projects/refpolicy > > I took a look at the reference policy and I am not sure how it > can help me. I am not trying to use SELinux to constrain > programs and daemons to sandboxes, instead I would like to use > it to create restricted system administrator accounts. > Although in the future, I may want to end up hardening apache, > etc, however at this point, that is not my focus. My approach > would be similar to the targeted policy, in which there is an > "unconfined" base domain in which most things roam. I > understand that in theory the reference policy would be a good > approach due to its modular approach, however I do not know > where to start to get myself my base unconfined layer I want. > I am open to suggestions. All policies are built from the reference policy these days, including the Fedora -targeted policy (and the -strict policy and the -mls policy). They are just different configurations of it. -strict policy has a notion of user roles already, whereas -targeted does not (at present). -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
