On Wed, 2008-05-28 at 13:29 -0400, Hasan Rezaul-CHR010 wrote: > Hi, > > >From what I understand, given the SELinux framework... > > EVERY THING by default is Denied, *except* what the policy explicitly > allows... > > How can I configure things (if at all possible), such that > EVERY THING by default is Allowed, *except* the specific things Denied > in the policy !! > > Is this doable ? There is no deny statement in the current policy language. As far as the mechanism is concerned, anything not allowed is denied. unconfined_t is an example of domain that is allowed (just about) everything. You can use the same macros/interfaces it uses to construct other similarly unconfined domains and then selectively remove rules if you want to deny certain actions, but whether or not that will yield a meaningful policy is another matter (e.g. denying direct write access to a given file might be easily circumvented by controlling another domain that has such write access or via more indirect information flows). -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
