On 11/11/2009 06:25 PM, Hasan Rezaul-CHR010 wrote: > Thanks Dan, > > I cant seem to find a good place to download the selinux-policy rpm for > Fedora 12. Can you point me to an URL link, or tell me how/where I can > obtain it ? > > In general, when looking for what policy to use as a base, is it more > important to stay consistent about the Linux Kernel version, or is it > more important to make sure the versions of selinux-packages are > consistent ? I am guessing it's the latter. > > Thanks. > > > -----Original Message----- > From: Daniel J Walsh [mailto:dwalsh@xxxxxxxxxx] > Sent: Wednesday, November 11, 2009 4:02 PM > To: Hasan Rezaul-CHR010 > Cc: Stephen Smalley; selinux@xxxxxxxxxxxxx > Subject: Re: Where do I get a good Policy Base ?... > > On 11/11/2009 02:37 PM, Hasan Rezaul-CHR010 wrote: >> Hi All, >> >> I didn't get an answer to my question below :-( >> >> > F12 policy. > > >> ------------------------------- >> >> Thanks for your answers :-) >> >> A quick follow up question... >> >> What would be the most appropriate Fedora selinux-policy that I can >> start off with as a base to build on top of, Given: >> >> that I have Linux 2.6.27, and I have the following latest SELinux >> package versions : >> >> checkpolicy-2.0.19 >> libselinux-2.0.85 >> libsemanage-2.0.33 >> libsepol-2.0.37 >> policycoreutils-2.0.69 >> sepolgen-1.0.17 >> >> Should I use Fedora 11 - >> download.fedora.redhat.com/pub/fedora/linux/development/i386/os/Packag >> es /selinux-policy-3.6.6-5.fc11.noarch.rpm >> >> Or should I use Fedora 10 - >> download.fedora.redhat.com/pub/fedora/linux/updates/10/i386/selinux-po >> li >> cy-3.5.13-45.fc10.noarch.rpm >> >> Or should I use new RefPolicy from OpenSuSE - >> ftp5.gwdg.de/pub/opensuse/repositories/security:/SELinux/openSUSE_Fact >> or >> y/noarch/selinux-policy-refpolicy-standard-2.20081210-1.8.noarch.rpm >> >> >> Thanks in advance as usual for all your help. >> >> >> >> >> -----Original Message----- >> From: Dominick Grift [mailto:domg472@xxxxxxxxx] >> Sent: Tuesday, October 27, 2009 3:50 AM >> To: Hasan Rezaul-CHR010 >> Cc: selinux@xxxxxxxxxxxxx >> Subject: Re: Where do I get a good Policy Base ?... >> >> On Mon, 2009-10-26 at 21:16 -0400, Hasan Rezaul-CHR010 wrote: >>> Hi All, >>> >>> I used to have the following SELinux related package versions on my >>> Linux (2.6.18) system: >>> >>> Checkpolicy - 1.33.1 >>> Libselinux - 2.0.13 >>> Libsemanage - 2.0.1 >>> Libsepol - 2.0.3 >>> Libsetrans - 0.1.18 >>> Policycoreutils - 2.0.16 >>> >>> And I used a 'strict' Base policy from Fedora Core 6. Made the >>> modifications I needed on top of that, and I was very happy... >>> >>> >>> We get our OS packaged/delivered from a third party company, and >>> we're >> >>> upgrading to Linux 2.6.27, and as part of this upgrade, we are also >>> migrating to much newer versions of the SELinux packages. They are: >>> >>> checkpolicy-2.0.19 >>> libselinux-2.0.85 >>> libsemanage-2.0.33 >>> libsepol-2.0.37 >>> policycoreutils-2.0.69 >>> sepolgen-1.0.17 >>> >>> >>> My questions are: >>> >>> 1. I believe the "strict" policy is no longer supported in the above >>> versions of SELinux packages? Is this true ? >> >> the "strict" policy model is no longer supported. The strict and >> target policy have merged to a policy model that is called "targeted". >> You can configure the "targeted" policy to behave like old strict >> policy by removing removing the unconfined modules and by mapping your > >> Linux logins to strict SELinux users. >> >>> >>> 2. The entire set of policies that I have fine-tuned over the years >>> under my /etc/selinux/strict/modules/active/modules/*.pp directory >>> in my previous older system, can I make any use of that ?? In other >>> words, can that stuff be re-used at all ? Or do I need to develop >>> policy from scratch again ? >> >> I am not sure about this but my opinion is that it should in most >> cases be possible to use older binary modules in newer policy. >> Reference policy should be compatible in my view. >> >> Please note though that is encouraged to keep the source policy for >> your binary modules so that you can edit policy modules easily later. >>> >>> 3. What will be a good base policy for me to start policy development > >>> on ? Will it be refpolicy, or should I grab the base 'targeted' >>> policy >> >>> from fedora core 11 for example ? >> >> This depends on your distro, but generally you should be better of >> with a distro specific policy. Also keep in mind that Fedora has a >> active community, frequent updates and many testers. >> >>> >>> 4. Assuming 'strict' is no longer supported in the NEW package >>> versions above, and I use a base 'targeted' policy as my starting >>> point... Should I be able to simply remove the "unconfined.pp" policy > >>> module from the base targeted policy, and that essentially turns my >>> system into "strict-like" mode ? Is that advisable ? >> >> That is the idea, yes, >> >>> >>> 5. If I do continue to use the 'targeted' base policy as is, how can >>> I >> >>> develop policy on top of that, to make sure I still block specific >>> things that I don't want to take place. For example, I DON'T want a >>> user_t to be able to write to files of type etc_t for example. How >>> do I go about accomplishing this given the 'targeted' framework ? I >>> know how to do this in the old 'strict' framework, not sure how to go > >>> about it with the targeted framework. Please shed some light or point > >>> me to documents... >> >> You can write your own custom policy modules on that of the policy >> that is distributed. Current policy is usually modular. Basically >> write a source policy module, build it and install it using the >> semanage or the semodule command. >> >> e.g. (Fedora/RedHat): >> >> echo "policy_module(mytest, 0.0.1)" > mytest.te; make -f >> /usr/share/selinux/devel/Makefile mytest.pp; sudo semodule -i >> mytest.pp sudo semodule -l | grep mytest >> >>> >>> Again, Any references or documentation links would be greatly >>> appreciated. >> >> www.selinuxproject.org/page/User_Resources >>> >>> Thanks in advance. >>> >>> >>> -- >>> This message was distributed to subscribers of the selinux mailing >> list. >>> If you no longer wish to subscribe, send mail to >>> majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without >> quotes as the message. >> >> > Latest F12 packages are in koji, here is a link: http://koji.fedoraproject.org/koji/buildinfo?buildID=140508 The Fedora Kernel can handle multiple different policies, so I am not sure I understand the question. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
