On Mon, 2013-02-11 at 15:48 +0100, yersinia wrote: > On Mon, Feb 11, 2013 at 11:49 AM, Dominick Grift > <dominick.grift@xxxxxxxxx>wrote: > > > Ive recently written a blog post about creating a restricted openssh > > login user with raw rules: > > > > https://84.245.5.136/wordpress/create-a-restricted-openssh-login-user-with-selinux/ > > > > I do not have an answer for you now. but just an observation. A post like > yours, always informative and enjoyable, it might suggest that writing > selinux policy is how to write in assembler. Perhaps this is could be > true many, > many, years ago, but today it is really necessary to write a policy in the > basic selinux language? No, generally it is better to use the abstraction language. In this case however the provided interfaces did not meet my requirements and it is also a study case for me. But a next step will be to create interfaces for the policy in the blog posts so that i can use those interfaces rather than raw policy to build on it. The Benefits of interfaces are: Single point of failure Human readable Generally easier to maintain Easier to write The drawbacks: You depend on decisions made by the creator of the to be used interfaces Interfaces a subject to changes. A particular interface may meet your requirements today but not tomorrow Interfaces are a bit obscure, by nature i guess, they hide the gory details Benefits of raw policy: Forces one to think like selinux Gives you the plain facts Easy to add and remove rules Drawbacks: Hard to maintain Intimidating to some hard to read I personally like raw policy a lot. It gives me a view on what is going on from a SELinux point of view. But i know it is unmaintainable in large projects But again, this was just a study also. I wanted to see how i could create something usable with as little rules as possible. > Sorry if OT > > bEST > On Mon, Feb 11, 2013 at 11:49 AM, Dominick Grift > <dominick.grift@xxxxxxxxx> wrote: > Ive recently written a blog post about creating a restricted > openssh > login user with raw rules: > https://84.245.5.136/wordpress/create-a-restricted-openssh-login-user-with-selinux/ > > I do not have an answer for you now. but just an observation. A post > like yours, always informative and enjoyable, it might suggest that > writing selinux policy is how to write in assembler. Perhaps this is > could be true many, many, years ago, but today it is really necessary > to write a policy in the basic selinux language? > > Sorry if OT > > > bEST -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
