On Thu, 2011-04-14 at 11:06 -0700, Sam Gandhi wrote: > I removed all the allow statements in the policy.conf generated by mdp > and left just one allow statement > > allow base_t base_t:user73 *; > > Now see the AVC messages as my daemons start, will convert them to > policy statement using audi2allow. Is this the right approach in > generating minimal policy for embedded platforms? That will just generate a policy with all processes running in base_t and all files labeled with base_t; audit2allow doesn't generate new types for you. You need to give some thought to that your security goals are, what subjects and objects you want to distinguish, define types and type transitions for those subjects and objects, and label the subject executables and objects accordingly. Only then can you begin to exercise the system and "learn" policy using audit2allow. You can of course do this incrementally, e.g. start by splitting out some small set of subject types (aka "domains") and some coarse-grained division of your filesystem into a small number of file types, and refine it over time. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
