7:45 p.m.
The Fedora Core 5 SELinux FAQ is now available at
http://fedora.redhat.com/docs/selinux-faq-fc5. Let me know if you have
any corrections or suggestions. Also, check out the Fedora SELinux wiki
at http://fedoraproject.org/wiki/SELinux, which includes a section for
adding proposed additions to the FAQ.
Thanks,
Chad
--
----------------------
Chad Sellers
Tresys Technology, LLC
csellers(a)tresys.com
http://www.tresys.com
7:49 p.m.
On Tue, 2006-03-28 at 20:45 -0500, Chad Sellers wrote:
The Fedora Core 5 SELinux FAQ is now available at
http://fedora.redhat.com/docs/selinux-faq-fc5. Let me know if you have
any corrections or suggestions. Also, check out the Fedora SELinux wiki
at http://fedoraproject.org/wiki/SELinux, which includes a section for
adding proposed additions to the FAQ.
Thanks,
Chad
Thanks Chad. Good work.
Rahul
11:19 a.m.
On 3/28/06, Chad Sellers <csellers(a)tresys.com> wrote:
The Fedora Core 5 SELinux FAQ is now available at
http://fedora.redhat.com/docs/selinux-faq-fc5. Let me know if you have
any corrections or suggestions. Also, check out the Fedora SELinux wiki
at http://fedoraproject.org/wiki/SELinux, which includes a section for
adding proposed additions to the FAQ.
Cool and thanks for all the work here.
I am trying to go over the questions in here one by one.. as I need to
work out what could be done for some systems where I work. I have one
question so far:
Q: What about the strict policy? Does it even work?
[From the list at release time.. I thought strict policy was broken
for Core.]
Q: What is the Reference Policy?
[I found I am really confused by this answer.. if my muddled brain
is getting this correct.. the Reference Policy is the base policy that
the Fedora Core 5 targeted, strict, mls policies are based off of the
Reference Policy.. or are there 2 sets of policies shipped with Fedora
Core 5 some of which are based off of the old set and the others by
the new set.]
Again thanks.. I will try to send some stuff as I go through this.
--
Stephen J Smoogen.
CSIRT/Linux System Administrator
11:53 a.m.
On Wed, 2006-03-29 at 10:19 -0700, Stephen J. Smoogen wrote:
I am trying to go over the questions in here one by one.. as I need
to
work out what could be done for some systems where I work. I have one
question so far:
Q: What about the strict policy? Does it even work?
[From the list at release time.. I thought strict policy was broken
for Core.]
Yes, -strict in FC5 is broken at the moment, although there is ongoing
work to resolve the issues needed to get it working. The breakage isn't
really anything to do with -strict per se, just fully modularized policy
(breaking down even the base policy into lots of individual modules).
Q: What is the Reference Policy?
[I found I am really confused by this answer.. if my muddled brain
is getting this correct.. the Reference Policy is the base policy that
the Fedora Core 5 targeted, strict, mls policies are based off of the
Reference Policy.. or are there 2 sets of policies shipped with Fedora
Core 5 some of which are based off of the old set and the others by
the new set.]
Reference policy is the new source policy tree from which all policy
types (-strict, -targeted, -mls) are being built. Previously, they were
being built from the NSA example policy source tree.
--
Stephen Smalley
National Security Agency
12:03 p.m.
On Wed, 2006-03-29 at 12:53 -0500, Stephen Smalley wrote:
> Q: What is the Reference Policy?
>
> [I found I am really confused by this answer.. if my muddled brain
> is getting this correct.. the Reference Policy is the base policy that
> the Fedora Core 5 targeted, strict, mls policies are based off of the
> Reference Policy.. or are there 2 sets of policies shipped with Fedora
> Core 5 some of which are based off of the old set and the others by
> the new set.]
Reference policy is the new source policy tree from which all policy
types (-strict, -targeted, -mls) are being built. Previously, they were
being built from the NSA example policy source tree.
I'm guessing that you were confused by this statement from the FAQ:
"Fedora policies at version 1.x are based on the traditional example
policy. Version 2.x policies (as used in Fedora Core 5) are based on the
Reference Policy."
This doesn't mean that there are two branches of policy (1.x and 2.x)
being carried in FC5; FC5 only has version 2.x.y policies based on
refpolicy. The above statement from the FAQ just means that when the
developers switched from using example policy to reference policy as
their source base during development of FC5, they changed the package
version from being a 1.x series to being a 2.x series to signify that a
major change had occurred. So when you see a policy package that has a
1.x version, you know you are dealing with a policy built from example
policy (as in FC4, RHEL4, FC3), and when you see a 2.x version, you know
you are dealing with a policy built from refpolicy (as in FC5 and
everything going forward).
--
Stephen Smalley
National Security Agency
6596
days inactive
6596
days old
selinux@lists.fedoraproject.org
4 comments
4 participants
participants (4)
-
Chad Sellers -
Rahul Sundaram -
Stephen John Smoogen -
Stephen Smalley