Re: Generating policy for embedded platforms.

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Stephen Smalley <sds@tycho.nsa.gov>
To: Sam Gandhi <samgandhi9@gmail.com>
Cc: selinux@tycho.nsa.gov
Subject: Re: Generating policy for embedded platforms.
Date: Thu, 14 Apr 2011 14:26:09 -0400	[thread overview]
Message-ID: <1302805569.31033.76.camel@moss-pluto> (raw)
In-Reply-To: <BANLkTi=ftkNxDqqS9=19ofhmVisc2kSDjw@mail.gmail.com>

On Thu, 2011-04-14 at 11:06 -0700, Sam Gandhi wrote:
> I removed all the allow statements in the policy.conf generated by mdp
> and left just one allow statement
> 
> allow base_t base_t:user73 *;
> 
> Now see the AVC messages as my daemons start, will convert them to
> policy statement using audi2allow. Is this the right approach in
> generating minimal policy for embedded platforms?

That will just generate a policy with all processes running in base_t
and all files labeled with base_t; audit2allow doesn't generate new
types for you.  You need to give some thought to that your security
goals are, what subjects and objects you want to distinguish, define
types and type transitions for those subjects and objects, and label the
subject executables and objects accordingly.  Only then can you begin to
exercise the system and "learn" policy using audit2allow.  You can of
course do this incrementally, e.g. start by splitting out some small set
of subject types (aka "domains") and some coarse-grained division of
your filesystem into a small number of file types, and refine it over
time.

-- 
Stephen Smalley
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

     prev parent reply	other threads:[~2011-04-14 18:26 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-04-14 16:07 Generating policy for embedded platforms Sam Gandhi
2011-04-14 17:04 ` Stephen Smalley
2011-04-14 18:06   ` Sam Gandhi
2011-04-14 18:26     ` Stephen Smalley [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1302805569.31033.76.camel@moss-pluto \
    --to=sds@tycho.nsa.gov \
    --cc=samgandhi9@gmail.com \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.