[refpolicy] Question: and the policy grows...
sds at tycho.nsa.gov
Fri Mar 18 08:37:44 CDT 2011
On Thu, 2011-03-17 at 18:56 -0400, Mark Montague wrote:
> - I've always struggled with policy file syntax. What is allowed?
> Where? The M4 macros make things more mysterious for me, rather than
> easier. I'm find having to "pre-declare" everything in a require stanza
> to be frustrating, especially as I'm constantly leaving things out.
> I've still no understanding of the differences between .if and .te files
> (e.g., apache.if versus apache.te in the targeted policy)
.if files are for interface/macro definitions. Similar to a header
> - Roles, in particular, could be better documented, in my opinion. At
> least, I have not found any great documentation that addresses everyday
> situations with roles. I'd like to make more use of roles in order to
> run more secure servers, but am a bit lost.
Agreed, but have you looked at:
It is far from everything one might want, but at least it is a starting
> - I've got little to no understanding of what the SELinux code in the
> kernel does or how it does it. It's a black box on which I twiddle
> knobs and hope I get the result I want. I see AVC denial messages but
> have no idea what the Access Vector Cache is.
The following is a nice walk through the SELinux kernel code by someone
other than its developers:
There are also the official docs:
> - Finding and installing the "right" Fedora / Red Hat RPMs for what
> needs to be done (e.g., building policies). (It's simple once you know,
> but I had a great deal of trouble finding out): setools setools-devel
> libsemanage-devel policycoreutils-python selinux-policy-devel
> selinux-policy-doc. policycoreutils-python was a big problem for me in
> particular here, since the name of the RPM implies -- to me -- that it
> is a set of policy core utilities for *use* with python, rather than
> tools *written* in python (normally, when installing an RPM, I don't
> care about what language was used to write the programs that it contains).
Maybe we need a yum group for all of this? Dan? PolicyDevel or
National Security Agency
More information about the refpolicy