SELinux - Shaun Savage

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Shaun Savage <savages@pcez.com>
To: selinux@tycho.nsa.gov
Subject: SELinux
Date: Wed, 20 Feb 2002 21:27:29 -0800	[thread overview]
Message-ID: <3C748541.6050708@pcez.com> (raw)

I have been customizing the policy now for about three months.  If you 
think of writing new policy as designing a state machine thing are easier.
the questions you need to ask is
1> How do you get to the execution of the program.  What domain should 
you allow to start this program?
2> What protections are required? This is the biggest issue.  Is there a 
  log file?  Does the program acceses any sockets? Is there user 
communcation?  Detail knowledge of the application is needed.  I tend to 
be paranoid so I create too many sub domains and make the policy difficult.
3> What programs are allowed to access this application data?

Read the policy/macros.te file
The linux/security/selinux/include/flask/*.h
av_permissions.h gives the bit pattern of all the permissions
av_perm_to_string.h & common_perm_to_string.h is some of the string
    permissions
class_to_string.h is most of the objects
flask.h gives the object classes

The main thing is to understand the application. Know what files, 
sockets, are being accesed and how.

I do agree that there needs to be a more documentation, but if there 
isn't the you can earn big dollars if you know it, I hope ;-).

Shaun Savage

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

next             reply	other threads:[~2002-02-21  5:28 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2002-02-21  5:27 Shaun Savage [this message]
2002-02-21 15:36 ` SELinux Stephen Smalley
2002-02-21 17:33 ` SELinux David Caplan
  -- strict thread matches above, loose matches on Subject: below --
2003-03-20  0:29 selinux Menon, Sunanda R
2003-03-20 21:26 ` selinux Howard Holm
2003-07-25  3:04 SeLinux Azeem Gopalani
2004-04-06 15:15 selinux Harald Hoyer
2008-02-17 20:11 SELinux Justin Mattock
2018-09-13 15:01 SELinux khalid fahad

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3C748541.6050708@pcez.com \
    --to=savages@pcez.com \
    --cc=selinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.