Comments on: Strict SELinux: Can’t things be more streamlined? http://yonkeltron.com/2007/05/16/strict-selinux-cant-things-be-more-streamlined/ Temporary Exile Mon, 01 Dec 2008 20:33:02 +0000 http://wordpress.org/?v=2.6.5 By: Alberto Caso http://yonkeltron.com/2007/05/16/strict-selinux-cant-things-be-more-streamlined/#comment-7435 Alberto Caso Wed, 27 Jun 2007 12:30:22 +0000 http://yonkeltron.com/2007/05/16/strict-selinux-cant-things-be-more-streamlined/#comment-7435 Debian Etch also uses policy modules by default. For example, module for Apache is at /usr/share/selinux/refpolicy-strict/apache.pp and you can install it with semodule: semodule -i /usr/share/selinux/refpolicy-targeted/apache.pp What is left now is that every package provides its own SELinux module (or a companion package with those modules, so that there can be different modules for the same packages, for different policies). That would be great. Regards. Debian Etch also uses policy modules by default.

For example, module for Apache is at /usr/share/selinux/refpolicy-strict/apache.pp and you can install it with semodule:
semodule -i /usr/share/selinux/refpolicy-targeted/apache.pp

What is left now is that every package provides its own SELinux module (or a companion package with those modules, so that there can be different modules for the same packages, for different policies). That would be great.

Regards.

]]> By: Huw Lynes http://yonkeltron.com/2007/05/16/strict-selinux-cant-things-be-more-streamlined/#comment-5303 Huw Lynes Thu, 17 May 2007 16:16:01 +0000 http://yonkeltron.com/2007/05/16/strict-selinux-cant-things-be-more-streamlined/#comment-5303 I think you are probably talking about policy modules which have already been implemented in RHEL5 and Fedora. http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules SElinux in redhat land has now got to the point that it usually isn't necessary to recompile SElinux policy sources on the machine. I suspect a similar approach could be taken in Debian. I think you are probably talking about policy modules which have already been implemented in RHEL5 and Fedora.

http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules

SElinux in redhat land has now got to the point that it usually isn’t necessary to recompile SElinux policy sources on the machine. I suspect a similar approach could be taken in Debian.

]]> By: Sarah Kopman-Fried http://yonkeltron.com/2007/05/16/strict-selinux-cant-things-be-more-streamlined/#comment-5245 Sarah Kopman-Fried Wed, 16 May 2007 22:01:56 +0000 http://yonkeltron.com/2007/05/16/strict-selinux-cant-things-be-more-streamlined/#comment-5245 Dear Sir, I have been following you very closely of late and would like to inform you that I believe you are both brilliant and most impressive. Dear Sir,

I have been following you very closely of late and would like to inform you that I believe you are both brilliant and most impressive.

]]>