Policies.. but where there are?

Policies.. but where there are?

[Mauro Chiarugi]

[-- Attachment #1: Type: text/plain, Size: 258 bytes --]

Hi,
i've just read come docs about SELinux, but i don't have unsterstood
where these policy (domains, etc.) are saved.. when i compile the
policy, where are recordered this information? In the kernel? In a file?
In the filesystem? 

thanks

bye bye

sracatus

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Policies.. but where there are?

[Mauro Chiarugi]

[-- Attachment #1.1: Type: text/plain, Size: 259 bytes --]

Hi,
i've just read come docs about SELinux, but i don't have unsterstood
where these policy (domains, etc.) are saved.. when i compile the
policy, where are recordered this information? In the kernel? In a file?
In the filesystem? 

thanks

bye bye

sracatus

[-- Attachment #1.2: 00000000.mimetmp --]
[-- Type: application/pgp-signature, Size: 191 bytes --]

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: Policies.. but where there are?

[Russell Coker]

On Fri, 4 Jul 2003 07:48, Mauro Chiarugi wrote:
> i've just read come docs about SELinux, but i don't have unsterstood
> where these policy (domains, etc.) are saved.. when i compile the
> policy, where are recordered this information? In the kernel? In a file?
> In the filesystem?

They are stored in a "policy database" named /etc/security/selinux/policy.XX 
(where XX is the version number) in recent versions.

The policy may be loaded into a running SE Linux kernel with the load_policy 
command, and it will be loaded from that location automatically on boot.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Policies.. but where there are?

[Howard Holm]

The policy is built using a Makefile which combines the files with the
policy statements (and M4 macros) into a single policy.conf.  The
policy.conf file is compiled by the checkpolicy program into a file
better parsed by computers than humans.  The compiled output file is
loaded into kernel data structures which are then used during access
control checks.

That is a very brief very high-level answer.  Does it answer your
question?

On Thu, 2003-07-03 at 17:48, Mauro Chiarugi wrote:
> Hi,
> i've just read come docs about SELinux, but i don't have unsterstood
> where these policy (domains, etc.) are saved.. when i compile the
> policy, where are recordered this information? In the kernel? In a file?
> In the filesystem? 
> 
> thanks
> 
> bye bye
> 
> sracatus
-- 
Howard Holm <hdholm@epoch.ncsc.mil>
Secure Systems Research Office
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Policies.. but where there are?

[Mauro Chiarugi]

[-- Attachment #1: Type: text/plain, Size: 414 bytes --]

Il Fri, 4 Jul 2003 08:52:51 +1000
Russell Coker borbottando disse:

> They are stored in a "policy database" named
> /etc/security/selinux/policy.XX (where XX is the version number) in
> recent versions.

I believe that policy.XX is protected against attacks, such as malicious
editing.. is it right???

-- 
Porgere l'altra guancia non significa
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT DROP

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: Policies.. but where there are?

[Russell Coker]

On Fri, 4 Jul 2003 16:51, Mauro Chiarugi wrote:
> Il Fri, 4 Jul 2003 08:52:51 +1000
>
> Russell Coker borbottando disse:
> > They are stored in a "policy database" named
> > /etc/security/selinux/policy.XX (where XX is the version number) in
> > recent versions.
>
> I believe that policy.XX is protected against attacks, such as malicious
> editing.. is it right???

Yes.  There is a special type for it and it is protected against editing.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Policies.. but where there are?

[Mauro Chiarugi]

[-- Attachment #1: Type: text/plain, Size: 329 bytes --]

Il Fri, 4 Jul 2003 17:41:36 +1000
Russell Coker borbottando disse:

> Yes.  There is a special type for it and it is protected against
> editing.

And what append if i boot with a normal kernel??

Thanks again :P

bye

-- 
Porgere l'altra guancia non significa
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT DROP

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: Policies.. but where there are?

[Tom]

On Fri, Jul 04, 2003 at 01:31:13PM +0200, Mauro Chiarugi wrote:
> > Yes.  There is a special type for it and it is protected against
> > editing.
> 
> And what append if i boot with a normal kernel??

There is no special protection in SELinux against malicious users with
full access to the physical machine. Encrypted filesystems and
physically secure server rooms are your tools in that area.


-- 
http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.