1 |
On Fri, Nov 04, 2011 at 07:58:45AM -0400, Anthony G. Basile wrote: |
2 |
> I'll let SwifT and other Selinuxers comment in detail on your policies. |
3 |
> I would just caution that if you keep creating policies to make every |
4 |
> violation disappear under all circumstanced then you're effectively |
5 |
> disabling selinux. So you need to examine the consequence of each rule |
6 |
> as you are doing, or asking us to do, which is good. |
7 |
|
8 |
Indeed. You've probably noticed a lengthy post of mine on the previous |
9 |
thread. The next is a short version: |
10 |
|
11 |
tl;dr - Make sure that every denial you want to resolve is properly |
12 |
documented (what was doing what for which reason and why is it breaking), |
13 |
not just an entire denial log. |
14 |
|
15 |
Of course, there are two (or even more) sides to consider. If the policy you |
16 |
sent out is working for you but you have no desire to maintain it for more |
17 |
people (or get it in a manageable way for others to take up maintenance) |
18 |
then the policy is more than fine. After all, you're the security |
19 |
administrator for your system, so you control the security policies the way |
20 |
you please. |
21 |
|
22 |
However, if the policy is meant to be included in Gentoo, we try to follow |
23 |
the style mandated by the reference policy [1], one of which includes that |
24 |
the .te and .if file should never directly mention domains (like |
25 |
user_home_t) if that domain is not created by that .te file. If you need to |
26 |
give privileges on your domain for user_home_t (or other domains), please |
27 |
try using the interfaces defined in those domains instead. |
28 |
|
29 |
[1] http://oss.tresys.com/projects/refpolicy/wiki/StyleGuide and links from |
30 |
that page |
31 |
|
32 |
> @SwifT - did you ever migrate that doc on how to debug policies to the tree? |
33 |
|
34 |
Yup, it's at [2] and should still be up to date (you never know ;-) I'm |
35 |
going to make this a bit easier for folks by requesting infra a git repo |
36 |
where we can develop SELinux policy patches more easily (currently it is |
37 |
done on github [3] and [4]). |
38 |
|
39 |
[2] http://www.gentoo.org/proj/en/hardened/selinux-development.xml |
40 |
[3] https://github.com/sjvermeu/hardened-refpolicy |
41 |
[4] https://github.com/sjvermeu/small.coding/tree/HEAD/selinux-modules/patches |
42 |
|
43 |
Wkr, |
44 |
Sven Vermeulen |