On Tue, Dec 15, 2009 at 12:43:37PM -0500, Hasan Rezaul-CHR010 wrote: > Hi All, > > I have Linux 2.6.27 on a non-popular Linux distro, and I have the > following SELinux package versions : > > > checkpolicy-2.0.19 > > libselinux-2.0.85 > > libsemanage-2.0.33 > > libsepol-2.0.37 > > policycoreutils-2.0.69 > > sepolgen-1.0.17 > > I know SELinux's is governing framework is that by default everything is > DENIED, except all accesses that are explicitly allowed in the policy... > > Is there anyway whatsoever to reverse that philosophy ? In other words, > is it possible to configure things and write policy in a way such that: > > Only explicit things are disallowed... So whenever no explicit policy > exists for an access request it is actually ALLOWED. This way, if I > write a new task or process, I don't have to write new policy for it to > allow all the things it needs. By default things will just be allowed, > unless some of those accesses have been explicitly disallowed in policy > ? > > My guess is that this CANT be done... But thought I would ask anyway ? Fedoras' selinux-policy-minimal is supposed to be just that (well kind of). By default everything runs in a unconfined domain which is allowed all access. To restrict processes you should explicitly write policy. > > Also can SELinux mappings be created for a Unix Group, as opposed to > mapping to individual Linux Users ? No afaik. > > Thanks. > > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with > the words "unsubscribe selinux" without quotes as the message.
Attachment:
pgpqRXIf9LCnr.pgp
Description: PGP signature
