| 1 |
On Fri, Nov 04, 2011 at 07:58:45AM -0400, Anthony G. Basile wrote: |
| 2 |
> I'll let SwifT and other Selinuxers comment in detail on your policies. |
| 3 |
> I would just caution that if you keep creating policies to make every |
| 4 |
> violation disappear under all circumstanced then you're effectively |
| 5 |
> disabling selinux. So you need to examine the consequence of each rule |
| 6 |
> as you are doing, or asking us to do, which is good. |
| 7 |
|
| 8 |
Indeed. You've probably noticed a lengthy post of mine on the previous |
| 9 |
thread. The next is a short version: |
| 10 |
|
| 11 |
tl;dr - Make sure that every denial you want to resolve is properly |
| 12 |
documented (what was doing what for which reason and why is it breaking), |
| 13 |
not just an entire denial log. |
| 14 |
|
| 15 |
Of course, there are two (or even more) sides to consider. If the policy you |
| 16 |
sent out is working for you but you have no desire to maintain it for more |
| 17 |
people (or get it in a manageable way for others to take up maintenance) |
| 18 |
then the policy is more than fine. After all, you're the security |
| 19 |
administrator for your system, so you control the security policies the way |
| 20 |
you please. |
| 21 |
|
| 22 |
However, if the policy is meant to be included in Gentoo, we try to follow |
| 23 |
the style mandated by the reference policy [1], one of which includes that |
| 24 |
the .te and .if file should never directly mention domains (like |
| 25 |
user_home_t) if that domain is not created by that .te file. If you need to |
| 26 |
give privileges on your domain for user_home_t (or other domains), please |
| 27 |
try using the interfaces defined in those domains instead. |
| 28 |
|
| 29 |
[1] http://oss.tresys.com/projects/refpolicy/wiki/StyleGuide and links from |
| 30 |
that page |
| 31 |
|
| 32 |
> @SwifT - did you ever migrate that doc on how to debug policies to the tree? |
| 33 |
|
| 34 |
Yup, it's at [2] and should still be up to date (you never know ;-) I'm |
| 35 |
going to make this a bit easier for folks by requesting infra a git repo |
| 36 |
where we can develop SELinux policy patches more easily (currently it is |
| 37 |
done on github [3] and [4]). |
| 38 |
|
| 39 |
[2] http://www.gentoo.org/proj/en/hardened/selinux-development.xml |
| 40 |
[3] https://github.com/sjvermeu/hardened-refpolicy |
| 41 |
[4] https://github.com/sjvermeu/small.coding/tree/HEAD/selinux-modules/patches |
| 42 |
|
| 43 |
Wkr, |
| 44 |
Sven Vermeulen |
Archives