Hi All, I didn't get an answer to my question below :-( ------------------------------- Thanks for your answers :-) A quick follow up question... What would be the most appropriate Fedora selinux-policy that I can start off with as a base to build on top of, Given: that I have Linux 2.6.27, and I have the following latest SELinux package versions : checkpolicy-2.0.19 libselinux-2.0.85 libsemanage-2.0.33 libsepol-2.0.37 policycoreutils-2.0.69 sepolgen-1.0.17 Should I use Fedora 11 - download.fedora.redhat.com/pub/fedora/linux/development/i386/os/Packages /selinux-policy-3.6.6-5.fc11.noarch.rpm Or should I use Fedora 10 - download.fedora.redhat.com/pub/fedora/linux/updates/10/i386/selinux-poli cy-3.5.13-45.fc10.noarch.rpm Or should I use new RefPolicy from OpenSuSE - ftp5.gwdg.de/pub/opensuse/repositories/security:/SELinux/openSUSE_Factor y/noarch/selinux-policy-refpolicy-standard-2.20081210-1.8.noarch.rpm Thanks in advance as usual for all your help. -----Original Message----- From: Dominick Grift [mailto:domg472@xxxxxxxxx] Sent: Tuesday, October 27, 2009 3:50 AM To: Hasan Rezaul-CHR010 Cc: selinux@xxxxxxxxxxxxx Subject: Re: Where do I get a good Policy Base ?... On Mon, 2009-10-26 at 21:16 -0400, Hasan Rezaul-CHR010 wrote: > Hi All, > > I used to have the following SELinux related package versions on my > Linux (2.6.18) system: > > Checkpolicy - 1.33.1 > Libselinux - 2.0.13 > Libsemanage - 2.0.1 > Libsepol - 2.0.3 > Libsetrans - 0.1.18 > Policycoreutils - 2.0.16 > > And I used a 'strict' Base policy from Fedora Core 6. Made the > modifications I needed on top of that, and I was very happy... > > > We get our OS packaged/delivered from a third party company, and we're > upgrading to Linux 2.6.27, and as part of this upgrade, we are also > migrating to much newer versions of the SELinux packages. They are: > > checkpolicy-2.0.19 > libselinux-2.0.85 > libsemanage-2.0.33 > libsepol-2.0.37 > policycoreutils-2.0.69 > sepolgen-1.0.17 > > > My questions are: > > 1. I believe the "strict" policy is no longer supported in the above > versions of SELinux packages? Is this true ? the "strict" policy model is no longer supported. The strict and target policy have merged to a policy model that is called "targeted". You can configure the "targeted" policy to behave like old strict policy by removing removing the unconfined modules and by mapping your Linux logins to strict SELinux users. > > 2. The entire set of policies that I have fine-tuned over the years > under my /etc/selinux/strict/modules/active/modules/*.pp directory > in my previous older system, can I make any use of that ?? In other > words, can that stuff be re-used at all ? Or do I need to develop > policy from scratch again ? I am not sure about this but my opinion is that it should in most cases be possible to use older binary modules in newer policy. Reference policy should be compatible in my view. Please note though that is encouraged to keep the source policy for your binary modules so that you can edit policy modules easily later. > > 3. What will be a good base policy for me to start policy development > on ? Will it be refpolicy, or should I grab the base 'targeted' policy > from fedora core 11 for example ? This depends on your distro, but generally you should be better of with a distro specific policy. Also keep in mind that Fedora has a active community, frequent updates and many testers. > > 4. Assuming 'strict' is no longer supported in the NEW package > versions above, and I use a base 'targeted' policy as my starting > point... Should I be able to simply remove the "unconfined.pp" policy > module from the base targeted policy, and that essentially turns my > system into "strict-like" mode ? Is that advisable ? That is the idea, yes, > > 5. If I do continue to use the 'targeted' base policy as is, how can I > develop policy on top of that, to make sure I still block specific > things that I don't want to take place. For example, I DON'T want a > user_t to be able to write to files of type etc_t for example. How > do I go about accomplishing this given the 'targeted' framework ? I > know how to do this in the old 'strict' framework, not sure how to go > about it with the targeted framework. Please shed some light or point > me to documents... You can write your own custom policy modules on that of the policy that is distributed. Current policy is usually modular. Basically write a source policy module, build it and install it using the semanage or the semodule command. e.g. (Fedora/RedHat): echo "policy_module(mytest, 0.0.1)" > mytest.te; make -f /usr/share/selinux/devel/Makefile mytest.pp; sudo semodule -i mytest.pp sudo semodule -l | grep mytest > > Again, Any references or documentation links would be greatly > appreciated. www.selinuxproject.org/page/User_Resources > > Thanks in advance. > > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to > majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
