On Tue, 2009-12-15 at 12:43 -0500, Hasan Rezaul-CHR010 wrote: > Hi All, > > I have Linux 2.6.27 on a non-popular Linux distro, and I have the > following SELinux package versions : > > > checkpolicy-2.0.19 > > libselinux-2.0.85 > > libsemanage-2.0.33 > > libsepol-2.0.37 > > policycoreutils-2.0.69 > > sepolgen-1.0.17 > > I know SELinux's is governing framework is that by default everything is > DENIED, except all accesses that are explicitly allowed in the policy... > > Is there anyway whatsoever to reverse that philosophy ? In other words, > is it possible to configure things and write policy in a way such that: > > Only explicit things are disallowed... So whenever no explicit policy > exists for an access request it is actually ALLOWED. This way, if I > write a new task or process, I don't have to write new policy for it to > allow all the things it needs. By default things will just be allowed, > unless some of those accesses have been explicitly disallowed in policy > ? > > My guess is that this CANT be done... But thought I would ask anyway ? Not from a mechanism point of view, no. But from a policy point of view, you can achieve your end by initially declaring a domain as an unconfined domain and then removing rules, or by declaring a domain as a permissive domain and generating rules for it via audit2allow. > Also can SELinux mappings be created for a Unix Group, as opposed to > mapping to individual Linux Users ? Yes - just use %groupname in the seusers configuration. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
