* How to build a simplified refpolicy?
@ 2014-07-22 9:16 kuangjiou
2014-07-22 12:18 ` Christopher J. PeBenito
2014-07-22 12:34 ` Stephen Smalley
0 siblings, 2 replies; 3+ messages in thread
From: kuangjiou @ 2014-07-22 9:16 UTC (permalink / raw)
To: selinux@tycho.nsa.gov
[-- Attachment #1: Type: text/plain, Size: 555 bytes --]
Hello,everyone!
I am learnig SELinux recently and trying to enable the SELinux in Embedded Linux. As we know, the refpolicy has too much rules to use in the embedded devices and i also do not need so much rules in my policy. I just want to control the accesses to some targeted files and allow the accesses to the rest files. So is that possible to(and how can i) built my own simpolified policy to achieve this goal?
Could anybody give me some suggestions to resolve this problem? I am looking forward to your replies! Thank you very much!
Sylar
[-- Attachment #2: Type: text/html, Size: 1029 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: How to build a simplified refpolicy?
2014-07-22 9:16 How to build a simplified refpolicy? kuangjiou
@ 2014-07-22 12:18 ` Christopher J. PeBenito
2014-07-22 12:34 ` Stephen Smalley
1 sibling, 0 replies; 3+ messages in thread
From: Christopher J. PeBenito @ 2014-07-22 12:18 UTC (permalink / raw)
To: kuangjiou, selinux@tycho.nsa.gov
On 7/22/2014 5:16 AM, kuangjiou wrote:
> Hello,everyone!
> I am learnig SELinux recently and trying to enable the SELinux in
> Embedded Linux. As we know, the refpolicy has too much rules to use in
> the embedded devices and i also do not need so much rules in my policy.
> I just want to control the accesses to some targeted files and allow the
> accesses to the rest files. So is that possible to(and how can i) built
> my own simpolified policy to achieve this goal?
> Could anybody give me some suggestions to resolve this problem? I am
> looking forward to your replies! Thank you very much!
You should be able to compile refpolicy with just the kernel layer
modules. Then the only domain you'd have is kernel_t plus types for
handling devices and base files.
Note: this discussion is best for the refpolicy mail list instead.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: How to build a simplified refpolicy?
2014-07-22 9:16 How to build a simplified refpolicy? kuangjiou
2014-07-22 12:18 ` Christopher J. PeBenito
@ 2014-07-22 12:34 ` Stephen Smalley
1 sibling, 0 replies; 3+ messages in thread
From: Stephen Smalley @ 2014-07-22 12:34 UTC (permalink / raw)
To: kuangjiou, selinux@tycho.nsa.gov
On 07/22/2014 05:16 AM, kuangjiou wrote:
> Hello,everyone!
> I am learnig SELinux recently and trying to enable the SELinux in
> Embedded Linux. As we know, the refpolicy has too much rules to use in
> the embedded devices and i also do not need so much rules in my policy.
> I just want to control the accesses to some targeted files and allow the
> accesses to the rest files. So is that possible to(and how can i) built
> my own simpolified policy to achieve this goal?
> Could anybody give me some suggestions to resolve this problem? I am
> looking forward to your replies! Thank you very much!
In addition to Chris' suggestion of how you can in fact build a minimal
refpolicy, another alternative is to create a policy from scratch for
your embedded Linux. This is what we did for Android, see our NDSS'13
paper and the policy in the AOSP tree.
http://internetsociety.org/doc/security-enhanced-se-android-bringing-flexible-mac-android
https://android.googlesource.com/platform/external/sepolicy
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-07-22 12:34 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-07-22 9:16 How to build a simplified refpolicy? kuangjiou
2014-07-22 12:18 ` Christopher J. PeBenito
2014-07-22 12:34 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.