No more selinux-policy-*-sources

Daniel J Walsh dwalsh at redhat.com
Tue Mar 14 18:48:59 UTC 2006


Ralf Ertzinger wrote:
> Hi.
>
> On Tue, 14 Mar 2006 12:30:08 -0500, Stephen Smalley wrote:
>
>   
>> Go read:
>> http://www.ranum.com/security/computer_security/editorials/dumb/
>>     
>
> So shipping the targetted policy is a dumb idea. RH will be glad to hear that.
>
>   
No targeted policy is confining the selected domains by deny all.    We 
look at targeted policy as a way
of protecting user space from system space.   Or another way to look at 
it would be putting a firewall around
the users processes and preventing the system spaces from touching 
that.  So one of the goals is to prevent apache
processes from touching user files.  As a by product of this, we are 
actually "fire walling" most applications from
each other, so apache can not touch the name server files, and the name 
server can not touch the apache server.

Strict policy and targeted policy are pretty much the same in FC5 as far 
as system applications are concerned.  Strict policy also tries to limit 
the access of applications that users run like Firefox and evolution.  
There are several problems
here but we are beginning to address some of these by limiting the use 
of executable memory, even in userspace.  We hope to slowly bring 
additional selinux components out into User space.





More information about the devel mailing list