On Wed, 25 May 2005 09:23:45 PDT, Casey Schaufler said: > here is that nowhere is there a complete and > accurate description of how, *in general* one > would go about creating an arbitrary and > complete policy using SELinux. Real-life example: There are many sites who do *not* necessarily need a full-blown SELinux, but *do* want to express a policy that basically boils down to "A chroot'ed process is not allowed to XYZ". It appears the only way to do this inside SELinux is to define a special chrooted_exec_t and force an auto_trans on exec. And in general, it's very hard to write a predicate that says "A process in condition/state X" - one has to enumerate all the possible binaries and create a separate "might_do_x_exec_t" (particularly interesting if you have binaries that might do X if run one way, but not another (think anything that behaves differently if launched from Cron) and start writing policy. And if a given process might end up in X *or* Y *or* Z, things start getting very ugly...
This archive was generated by hypermail 2.1.3 : Wed May 25 2005 - 09:37:23 PDT