On Tue, Aug 11, 2009 at 6:54 PM, Anamitra Dutta Majumdar (anmajumd)<anmajumd@xxxxxxxxx> wrote: > > > We are trying to migrate our existing security policies to SELinux. We > are new to SELinux and hence are finding it difficult to map our > existing policies. > I would recommend SELinux by Example since you will need to be familiar with the policy language to properly make the transition. I am not aware of any website that covers it in the same detail but if you find one let me know. > In our existing policy, all applications (including ones running as root > user) with the exception of insmod and modprobe, are denied access to > /lib directory. How would we go about writing such a policy without > actually confining every application manually, since that would indeed > be cumbersome? Denied access completely? I'd think that might cause some problems but there is still plenty I don't know so... You were using AppArmor or something similar? Interesting. I think a neverallow rule is probably your best bet here, it will generate compiler error if you have any rules that violate it. I don't specifically remember how the errors get reported i.e. does it spit out the specific allow rules that cause the problem? Seems I need another refpolicy refresher. Anyway after I'd cleaned up the errors which might be a task and two-thirds, I'd add my allow rules for insmod and modprobe which share the same label, insmod_exec_t, so at least that would be easy :^) Though the thing to consider is really do I need to completely deny access to this directory. SELinux allows fine-grained access control so depending on your security goals the restriction need not necessarily require heavy modification of the policy, Have you used the policy analysis tools? These should help you get a better idea of the scope of things affected by restricting access to lib_t , they take a little getting used to so be patient. yum install setools There is also a GUI policy dev tool, two of them actually. SLIDE is the one I think you'd need to tackle this task. I haven't really used it much, I like to beat my head against brick walls don't you know, you can install it with yum but its separate from setools, yum install slide? http://oss.tresys.com/projects/slide I highly recommend the book mentioned above, if your completely new to SELinux. So that's how I'd start to go about it anyway, there are much more experienced hands monitoring this list but they are busy folk. You could try the IRC chat #selinux and #fedora-selinux for more direct and immediate help. dgrift is usually around there and is a good resource for these kinds of questions. Also you don't mention exactly what its for but there is a minimal selinux policy you can load and that might cut down on a lot of the work. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
