From: Daniel J Walsh <dwalsh@redhat.com>
To: Davide Bolcioni <dbolcioni@3di.it>
Cc: fedora-selinux-list@redhat.com, SELinux <SELinux@tycho.nsa.gov>
Subject: Re: Is there a SELinux tutorial for ISVs ?
Date: Thu, 28 Apr 2005 11:54:30 -0400 [thread overview]
Message-ID: <42710736.2020001@redhat.com> (raw)
In-Reply-To: <42709B74.4000508@3di.it>
This string of messages brings up something I wanted to get a
conversation going on how to handle non OS Provided policy.
We all know we need a better mechanism for handling "binary" policy in
the future. ( I think the future is now.)
I see three people providing policy.
1. OS Provider with base policy. (It would also be nice if the base
policy got broken into several policies and only the policy
of the running service would be loaded. If we got to this state we
would need a new mechanism for restoring file context since
file_context might not meet the currently loaded policy.
2. Third Party application developers. As the use of targeted policy
has begun to take off, Third Party ISV have started to question
how they can play in this world.
I see Tresys Stuff solving the problems of both of the above.
3 Local User customization and minor policies. Currently we have people
using audit2allow creating files in domains/misc and then
reloading policy. We need a mechanism for users to be able to do this
without recompiling policy. Also more significantly how
do we handle the small diffed apache_domain stuff. A couple of months
ago I redesigned apache policy to have a macro called
apache_domain. A user could create a new apache_XYZ.te file with
apache_domain(XYZ)
Followed by a few allow rules and be able to get their cgi scripts
working without turning off apache protection or running their script in
httpd_unconfined_script_t.
The problem is the only way to do this is to install policy sources and
muck around. I think we to have some shared library mechanism
where a few well known macros could be defined and users could easily
build their own custom policy.
Anyways I think we need more discussion on handling third party and user
customization of policy outside of the current make tree stuff.
Dan
Dan
--
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next parent reply other threads:[~2005-04-28 15:54 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <426F8B45.8070509@3di.it>
[not found] ` <pan.2005.04.27.23.10.29.993659@navi.cx>
[not found] ` <42709B74.4000508@3di.it>
2005-04-28 15:54 ` Daniel J Walsh [this message]
2005-04-28 17:32 ` Is there a SELinux tutorial for ISVs ? Lorenzo Hernández García-Hierro
2005-04-28 17:51 ` Stephen Smalley
2005-04-28 20:38 ` Karl MacMillan
2005-04-29 13:02 ` Karl MacMillan
2005-04-28 18:29 Chad Hanson
2005-04-28 20:32 ` Karl MacMillan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42710736.2020001@redhat.com \
--to=dwalsh@redhat.com \
--cc=SELinux@tycho.nsa.gov \
--cc=dbolcioni@3di.it \
--cc=fedora-selinux-list@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.