Re: Why is SELINUXTYPE policy specific?

[dE <de.techno@gmail.com>]

On 04/21/14 13:31, Sven Vermeulen wrote:
> On Sun, Apr 20, 2014 at 2:23 PM, dE <de.techno@gmail.com> wrote:
>> There are 3 security models in which SELinux can work -- TE, RBAC and MLS.
>>
>> And there are 6 types of SELinux policies --
>>
>> targeted, mls, mcs, standard, strict or minimum.
>>
>> Each security model requires it's own set of policies and the policies can
>> be 1 of the 6 types. So can all the 3 security modles and 6 types be
>> intermixed? Won't there be conflicts like with MLS and RBAC?
> The SELINUXTYPE value should be seen as the name given to a policy
> store. The contents (the actual policy, the features it supports, the
> fact that it is MLS-enabled or not) have nothing to do with the name
> of the store per se. It is just a matter of convenience that policy
> stores are named in a particular way so that, cross-distributions,
> security administrators can deduce the type and features of the policy
> based on the name.
>
> For instance, on RHEL6, "targeted" is the name given to the policy
> store that contains an MCS policy with support for unconfined domains.
> On Gentoo, this name is rather used for non-MCS policy with support
> for unconfined domains.
>
> Afaik, there is no conflict between RBAC and MLS. With MLS, the
> SELinux subsystem allows or denies access based on the dominance rules
> between the domains' security clearance and the resource sensitivity
> level. RBAC instead allows or denies a SELinux role to be associated
> with a particular domain.
>
> Wkr,
>    Sven Vermeulen

So can policies which support RBAC can be made to have a different 
SELINUXTYPE?

Can targeted, mls, mcs, standard, strict or minimum also be considered 
as different security models? Since all these are made based on the TE 
model, can we make a custom security model based on TE and give it a 
different SELINUXTYPE.

Thanks for the response.