From: sds@tycho.nsa.gov (Stephen Smalley)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] Question: and the policy grows...
Date: Fri, 18 Mar 2011 09:37:44 -0400 [thread overview]
Message-ID: <1300455464.25429.10.camel@moss-pluto> (raw)
In-Reply-To: <4D829196.2070804@catseye.org>
On Thu, 2011-03-17 at 18:56 -0400, Mark Montague wrote:
> - I've always struggled with policy file syntax. What is allowed?
> Where? The M4 macros make things more mysterious for me, rather than
> easier. I'm find having to "pre-declare" everything in a require stanza
> to be frustrating, especially as I'm constantly leaving things out.
> I've still no understanding of the differences between .if and .te files
> (e.g., apache.if versus apache.te in the targeted policy)
.if files are for interface/macro definitions. Similar to a header
file.
> - Roles, in particular, could be better documented, in my opinion. At
> least, I have not found any great documentation that addresses everyday
> situations with roles. I'd like to make more use of roles in order to
> run more secure servers, but am a bit lost.
Agreed, but have you looked at:
http://selinuxproject.org/page/RefpolicyBasicRoleCreation
It is far from everything one might want, but at least it is a starting
point.
> - I've got little to no understanding of what the SELinux code in the
> kernel does or how it does it. It's a black box on which I twiddle
> knobs and hope I get the result I want. I see AVC denial messages but
> have no idea what the Access Vector Cache is.
The following is a nice walk through the SELinux kernel code by someone
other than its developers:
http://www.imperialviolet.org/2009/07/14/selinux.html
There are also the official docs:
http://www.nsa.gov/research/selinux/docs.shtml
> - Finding and installing the "right" Fedora / Red Hat RPMs for what
> needs to be done (e.g., building policies). (It's simple once you know,
> but I had a great deal of trouble finding out): setools setools-devel
> libsemanage-devel policycoreutils-python selinux-policy-devel
> selinux-policy-doc. policycoreutils-python was a big problem for me in
> particular here, since the name of the RPM implies -- to me -- that it
> is a set of policy core utilities for *use* with python, rather than
> tools *written* in python (normally, when installing an RPM, I don't
> care about what language was used to write the programs that it contains).
Maybe we need a yum group for all of this? Dan? PolicyDevel or
similar?
--
Stephen Smalley
National Security Agency
next prev parent reply other threads:[~2011-03-18 13:37 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-03-17 13:50 [refpolicy] Question: and the policy grows Guido Trentalancia
2011-03-17 14:25 ` Daniel J Walsh
2011-03-17 16:04 ` Guido Trentalancia
2011-03-17 16:44 ` Daniel J Walsh
2011-03-17 17:54 ` Christopher J. PeBenito
2011-03-17 18:34 ` Daniel J Walsh
2011-03-17 19:49 ` Daniel J Walsh
2011-03-18 13:30 ` Christopher J. PeBenito
2011-03-17 20:15 ` Guido Trentalancia
2011-03-18 13:35 ` Christopher J. PeBenito
2011-03-18 15:25 ` Guido Trentalancia
2011-03-17 19:40 ` Guido Trentalancia
2011-03-17 19:55 ` Daniel J Walsh
2011-03-17 20:27 ` Guido Trentalancia
2011-03-18 13:38 ` Christopher J. PeBenito
2011-03-17 20:24 ` Sven Vermeulen
2011-03-17 21:08 ` Guido Trentalancia
2011-03-17 21:34 ` Sven Vermeulen
2011-03-17 23:04 ` Guido Trentalancia
2011-03-18 13:52 ` Christopher J. PeBenito
2011-03-18 15:20 ` Guido Trentalancia
2011-03-17 23:08 ` Mark Montague
2011-03-18 6:06 ` Sven Vermeulen
2011-03-18 10:19 ` Dominick Grift
2011-03-18 12:31 ` Guido Trentalancia
2011-03-17 22:56 ` Mark Montague
2011-03-18 10:12 ` Dominick Grift
2011-03-18 13:37 ` Stephen Smalley [this message]
2011-03-18 15:37 ` Dominick Grift
2011-03-17 23:24 ` SE Linux use - was: " Russell Coker
2011-03-18 0:33 ` Guido Trentalancia
2011-03-18 2:11 ` Jason Axelson
2011-03-18 13:23 ` James Carter
2011-03-18 14:33 ` Russell Coker
2011-03-18 14:57 ` Christopher J. PeBenito
2011-03-18 15:48 ` Guido Trentalancia
2011-03-18 23:40 ` Russell Coker
2011-03-18 15:45 ` Guido Trentalancia
2011-03-18 23:52 ` Russell Coker
2011-03-19 14:37 ` Guido Trentalancia
2011-03-18 14:08 ` Christopher J. PeBenito
2011-03-18 13:45 ` [refpolicy] " Christopher J. PeBenito
2011-03-18 15:09 ` Guido Trentalancia
2011-03-18 17:14 ` [refpolicy] dual mailing list (was Question: and the policy grows...) Guido Trentalancia
2011-03-18 18:40 ` Daniel J Walsh
2011-03-18 19:13 ` Guido Trentalancia
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1300455464.25429.10.camel@moss-pluto \
--to=sds@tycho.nsa.gov \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.