On Fri, Nov 04, 2011 at 07:58:45AM -0400, Anthony G. Basile wrote: > I'll let SwifT and other Selinuxers comment in detail on your policies. > I would just caution that if you keep creating policies to make every > violation disappear under all circumstanced then you're effectively > disabling selinux. So you need to examine the consequence of each rule > as you are doing, or asking us to do, which is good.
Indeed. You've probably noticed a lengthy post of mine on the previous thread. The next is a short version: tl;dr - Make sure that every denial you want to resolve is properly documented (what was doing what for which reason and why is it breaking), not just an entire denial log. Of course, there are two (or even more) sides to consider. If the policy you sent out is working for you but you have no desire to maintain it for more people (or get it in a manageable way for others to take up maintenance) then the policy is more than fine. After all, you're the security administrator for your system, so you control the security policies the way you please. However, if the policy is meant to be included in Gentoo, we try to follow the style mandated by the reference policy [1], one of which includes that the .te and .if file should never directly mention domains (like user_home_t) if that domain is not created by that .te file. If you need to give privileges on your domain for user_home_t (or other domains), please try using the interfaces defined in those domains instead. [1] http://oss.tresys.com/projects/refpolicy/wiki/StyleGuide and links from that page > @SwifT - did you ever migrate that doc on how to debug policies to the tree? Yup, it's at [2] and should still be up to date (you never know ;-) I'm going to make this a bit easier for folks by requesting infra a git repo where we can develop SELinux policy patches more easily (currently it is done on github [3] and [4]). [2] http://www.gentoo.org/proj/en/hardened/selinux-development.xml [3] https://github.com/sjvermeu/hardened-refpolicy [4] https://github.com/sjvermeu/small.coding/tree/HEAD/selinux-modules/patches Wkr, Sven Vermeulen
