Re: Policy writing philosophy...

[Dominick Grift <domg472@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 1710 bytes --]

On Tue, Dec 15, 2009 at 12:43:37PM -0500, Hasan Rezaul-CHR010 wrote:
> Hi All,
> 
> I have Linux 2.6.27 on a non-popular Linux distro, and I have the
> following SELinux package versions :
>   
> >  checkpolicy-2.0.19
> >  libselinux-2.0.85
> >  libsemanage-2.0.33
> >  libsepol-2.0.37
> >  policycoreutils-2.0.69
> >  sepolgen-1.0.17
> 
> I know SELinux's is governing framework is that by default everything is
> DENIED, except all accesses that are explicitly allowed in the policy...
> 
> Is there anyway whatsoever to reverse that philosophy ?  In other words,
> is it possible to configure things and write policy in a way such that:
> 
> Only explicit things are disallowed... So whenever no explicit policy
> exists for an access request it is actually ALLOWED. This way, if I
> write a new task or process, I don't have to write new policy for it to
> allow all the things it needs. By default things will just be allowed,
> unless some of those accesses have been explicitly disallowed in policy
> ?
> 
> My guess is that this CANT be done... But thought I would ask anyway ?

Fedoras' selinux-policy-minimal is supposed to be just that (well kind of). By default everything runs in a unconfined domain which is allowed all access. To restrict processes you should explicitly write policy. 
> 
> Also can SELinux mappings be created for a Unix Group, as opposed to
> mapping to individual Linux Users ?

No afaik.
> 
> Thanks.
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.

[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]