[DSE-Dev] Fixing up SELinux reference policy for Debian
Manoj Srivastava
srivasta at debian.org
Tue May 22 17:45:41 UTC 2007
On Mon, 21 May 2007 20:05:54 +1000, Russell Coker <russell at coker.com.au> said:
>> localStrict.te included below). I can compile my packages, and run
> Does localStrict.te really provide a benefit?
It quells any AVC messages; and some of them were quite
prolific. This way, any new messages are not lost in a flood of known
issues.
For me, personally, it allows me to stage in changes in policy,
and play around with apol, before deciding whether or not to move any
changes into Debian's refpolicy.
> Now further changes: It's probably best to permit getattr access when
> read access is permitted, I omitted this in the
> fs_allow_tmpfs_file_read patch I sent you.
> I'll send other patches soon.
Thanks.
I have now run my UML machine for four days with no
activity, to capture any default cron jobs that might run into
problems with strict policy. I did it over the weekend, to capture
anything special over Saturday and Sunday; and there have been no
activity in the logs. So at least a minimal build machine at rest is
now fine with strict policy.
I think we might be able to move closer to having grub options
available for users in lenny -- for example, excerpts from my
grub menu.lst are:
# kopt=root=/dev/hda6 ro vga=791 splash=silent
# alternative=true
# defoptions=selinux=0 audit=0
# altoptions=(recovery mode) selnux=0 audit=0 single
# altoptions=(SELinux) selinux=1 audit=1
With this, booting into SELinux can be as simple as selecting
the proper boot image.
manoj
--
A man paints with his brains and not with his hands.
Manoj Srivastava <srivasta at debian.org> <http://www.debian.org/~srivasta/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
More information about the SELinux-devel
mailing list