Re: SELinux and AppArmor.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Lukas Vrabec <lvrabec@xxxxxxxxxx>:

> On 6/18/19 10:07 AM, Marko Rauhamaa wrote:
>> I'm an application developer. Nobody's going to integrate my
>> application with the distro except me and my teammates. It would help
>> us tremendously if there were a cookbook for the likes of us.
>
> You can look on this, it's not finished but some guide how to start with
> policy writing is here:
>
> http://redhatgov.io/workshops/selinux_policy/exercise1.1/

Thanks, Lukas. It looks like what I've been looking for. I'll have to
research it.

It starts to seem like almost every file in a product should have its
own file context label type. Additionally, every process should have a
process context. Then, transition rules should assign process contexts
to executable files (often starting with init_t). Finally, each process
context should be granted I/O access.

Somewhat surprisingly, though, even without doing any of this, our
services mostly have access to everything they need on Fedora and RHEL
systems. Maybe the default distro policies are very lax so as not to
anger application developers.


Marko
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux