Re: SELinux Policy/Flask Classes from scratch
On Fri, 2007-01-26 at 15:34 -0500, bx wrote:
On 1/26/07, Stephen Smalley <sds(a)tycho.nsa.gov> wrote:
I'd suggest leveraging the reference policy instead as
a baseline, then
customize it as desired.
http://oss.tresys.com/projects/refpolicy
I took a look at the reference policy and I am not sure how it
can help me. I am not trying to use SELinux to constrain
programs and daemons to sandboxes, instead I would like to use
it to create restricted system administrator accounts.
Although in the future, I may want to end up hardening apache,
etc, however at this point, that is not my focus. My approach
would be similar to the targeted policy, in which there is an
"unconfined" base domain in which most things roam. I
understand that in theory the reference policy would be a good
approach due to its modular approach, however I do not know
where to start to get myself my base unconfined layer I want.
I am open to suggestions.
All policies are built from the reference policy these days, including
the Fedora -targeted policy (and the -strict policy and the -mls
policy). They are just different configurations of it. -strict policy
has a notion of user roles already, whereas -targeted does not (at
present).
--
Stephen Smalley
National Security Agency