* (no subject)
@ 2003-11-26 4:52 Nick
2003-11-26 13:29 ` Stephen Smalley
0 siblings, 1 reply; 2+ messages in thread
From: Nick @ 2003-11-26 4:52 UTC (permalink / raw)
To: SE Linux
Steve et Al.
Once the initial load has been done and the policy is in place, I should
be able to remove the development dirs (selinux-usr and linux-2.4) and
the policy source (/etc/security/selinux/src) from from my pseudo
production box and build new policies on my development server from the
/etc/security/selinux/src directory which I will then propagate over to
the system production system.
What about the file contexts, I didn't see these in the policy
directory?
I am working on several things and moving pretty fast so I may have
missed it.
I am going to have to create a /tcb directory and root all trusted code
there (policy, file contexts, binaries). I have been directed to move in
the direction of CMW. What are your thoughts on this.
Nick Gray
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re:
2003-11-26 4:52 Nick
@ 2003-11-26 13:29 ` Stephen Smalley
0 siblings, 0 replies; 2+ messages in thread
From: Stephen Smalley @ 2003-11-26 13:29 UTC (permalink / raw)
To: Nick; +Cc: SE Linux
On Tue, 2003-11-25 at 23:52, Nick wrote:
> What about the file contexts, I didn't see these in the policy
> directory?
The file contexts configuration is under policy/file_contexts. Once you
have labeled your filesystems, the contexts are stored as extended
attributes of the inodes, so you don't need to retain the configuration
on the machine.
> I am going to have to create a /tcb directory and root all trusted code
> there (policy, file contexts, binaries). I have been directed to move in
> the direction of CMW. What are your thoughts on this.
Seems problematic. Are you going to move login under /tcb? The pam
modules that it relies on? The /etc/shadow file? What is the real
benefit (vs. just locking down the SELinux permissions to the existing
directories and files)?
What do you mean by "move in the direction of CMW"? Switch from SELinux
to a CMW, or try to make SELinux look like a CMW?
--
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2003-11-26 13:30 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-11-26 4:52 Nick
2003-11-26 13:29 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.