Difference between users getting selinux status info between Fedora 18 and RHEL6

Dominick Grift dominick.grift at gmail.com
Mon Feb 11 15:26:33 UTC 2013 

On Mon, 2013-02-11 at 15:48 +0100, yersinia wrote:
> On Mon, Feb 11, 2013 at 11:49 AM, Dominick Grift
> <dominick.grift at gmail.com>wrote:
> 
> > Ive recently written a blog post about creating a restricted openssh
> > login user with raw rules:
> >
> > https://84.245.5.136/wordpress/create-a-restricted-openssh-login-user-with-selinux/
> >
> > I do not have an answer for you now. but just an observation. A post like
> yours, always informative and enjoyable, it might suggest that writing
> selinux policy is how to write in assembler. Perhaps this is could be
> true many,
> many, years ago, but today it is really necessary to write a policy in the
> basic selinux language?

No, generally it is better to use the abstraction language. In this case
however the provided interfaces did not meet my requirements and it is
also a study case for me.

But a next step will be to create interfaces for the policy in the blog
posts so that i can use those interfaces rather than raw policy to build
on it.

The Benefits of interfaces are:

Single point of failure
Human readable
Generally easier to maintain
Easier to write

The drawbacks:

You depend on decisions made by the creator of the to be used interfaces
Interfaces a subject to changes. A particular interface may meet your
requirements today but not tomorrow
Interfaces are a bit obscure, by nature i guess, they hide the gory
details

Benefits of raw policy:

Forces one to think like selinux
Gives you the plain facts
Easy to add and remove rules

Drawbacks:

Hard to maintain
Intimidating to some
hard to read

I personally like raw policy a lot. It gives me a view on what is going
on from a SELinux point of view.

But i know it is unmaintainable in large projects

But again, this was just a study also. I wanted to see how i could
create something usable with as little rules as possible.

> Sorry if OT
> 
> bEST
> On Mon, Feb 11, 2013 at 11:49 AM, Dominick Grift
> <dominick.grift at gmail.com> wrote:
>         Ive recently written a blog post about creating a restricted
>         openssh
>         login user with raw rules:
>         https://84.245.5.136/wordpress/create-a-restricted-openssh-login-user-with-selinux/
>         
> I do not have an answer for you now. but just an observation. A post
> like yours, always informative and enjoyable, it might suggest that
> writing selinux policy is how to write in assembler. Perhaps this is
> could be true many, many, years ago, but today it is really necessary
> to write a policy in the basic selinux language? 
> 
> Sorry if OT
> 
> 
> bEST

More information about the selinux mailing list