On 04/22/14 18:23, Stephen Smalley wrote:
On 04/22/2014 12:59 AM, dE wrote:
On 04/21/14 13:31, Sven Vermeulen wrote:
On Sun, Apr 20, 2014 at 2:23 PM, dE <de.techno@xxxxxxxxx> wrote:
There are 3 security models in which SELinux can work -- TE, RBAC and
MLS.
And there are 6 types of SELinux policies --
targeted, mls, mcs, standard, strict or minimum.
Each security model requires it's own set of policies and the
policies can
be 1 of the 6 types. So can all the 3 security modles and 6 types be
intermixed? Won't there be conflicts like with MLS and RBAC?
The SELINUXTYPE value should be seen as the name given to a policy
store. The contents (the actual policy, the features it supports, the
fact that it is MLS-enabled or not) have nothing to do with the name
of the store per se. It is just a matter of convenience that policy
stores are named in a particular way so that, cross-distributions,
security administrators can deduce the type and features of the policy
based on the name.
For instance, on RHEL6, "targeted" is the name given to the policy
store that contains an MCS policy with support for unconfined domains.
On Gentoo, this name is rather used for non-MCS policy with support
for unconfined domains.
Afaik, there is no conflict between RBAC and MLS. With MLS, the
SELinux subsystem allows or denies access based on the dominance rules
between the domains' security clearance and the resource sensitivity
level. RBAC instead allows or denies a SELinux role to be associated
with a particular domain.
Wkr,
Sven Vermeulen
So can policies which support RBAC can be made to have a different
SELINUXTYPE?
You can use any SELINUXTYPE value you want; it is just an arbitrary name
for the policy. No inherent relationship to the underlying model or
configuration.
Can targeted, mls, mcs, standard, strict or minimum also be considered
as different security models? Since all these are made based on the TE
model, can we make a custom security model based on TE and give it a
different SELINUXTYPE.
No, they are not different security models, just different
configurations of the same model, and you are mixing the notions of
SELINUXTYPE, TYPE and NAME. At most, you might say that mcs and mls are
different "models" since they use different sets of constraint
definitions but that's all just configuration data for SELinux...
Sorry for the late response -- I was really busy setting up that
graphics card.
So I dont understand the purpose of SELINUXTYPE. Can someone please explain?
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
