On Tue, 2009-12-15 at 12:43 -0500, Hasan Rezaul-CHR010 wrote: > Hi All, > > I have Linux 2.6.27 on a non-popular Linux distro, and I have the > following SELinux package versions : > > > checkpolicy-2.0.19 > > libselinux-2.0.85 > > libsemanage-2.0.33 > > libsepol-2.0.37 > > policycoreutils-2.0.69 > > sepolgen-1.0.17 > > I know SELinux's is governing framework is that by default everything > is > DENIED, except all accesses that are explicitly allowed in the > policy... > > Is there anyway whatsoever to reverse that philosophy ? In other > words, > is it possible to configure things and write policy in a way such > that: > > Only explicit things are disallowed... So whenever no explicit policy > exists for an access request it is actually ALLOWED. This way, if I > write a new task or process, I don't have to write new policy for it > to > allow all the things it needs. By default things will just be allowed, > unless some of those accesses have been explicitly disallowed in > policy > ? > > My guess is that this CANT be done... But thought I would ask anyway ? If you are asking whether SELinux can be used to configure a set of "disablities" rather than "capabilites", I guess the answer would be no. The reason is the question itself :) It's a different design philosophy.. Bandan > Also can SELinux mappings be created for a Unix Group, as opposed to > mapping to individual Linux Users ? > > Thanks. > > > -- > This message was distributed to subscribers of the selinux mailing > list. > If you no longer wish to subscribe, send mail to > majordomo@xxxxxxxxxxxxx with > the words "unsubscribe selinux" without quotes as the message. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
