On Wed, 2008-07-16 at 12:12 -0400, Christopher J. PeBenito wrote: > For those that are interested, the SELinux user-based separation policy > is ready for some initial testing. It can be checked out from the > rbacsep branch of the refpolicy SVN repo. Not all of the type aliases > are in place for compatibility yet, so switching from an existing policy > should be done in permissive. > > A question that comes up is how exactly to to determine which types > should be constrained by ubac. The obvious answer would seem to be that > if the user isn't system_u, then there should be ubac constraints on the > access check. But the problem is that creating new files gets your > selinux user on files. So if you look in /etc, you're likely to see non > system_u files, such as ld.so.cache. The problem is that we don't want > ubac constraints on these files. In addition, since there is no > run_init on redhat (and possibly other distros) machines, restarted > services would get non system_u users, which would also cause problems. > > My current implementation is actually more of an allow by default setup, > where types are explicitly marked as being ubac constrained. Obviously > deny by default would be preferred, but that would require all exempted > types to be marked instead. The problem is the number of exempted types > far outnumbers the constrained types. I'm open to suggestions on > tweaking this design, especially if it gets us a deny by default without > the pain of marking most types in the policy as exempted. ping -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
