SELinux Talk FUDCon10

From FedoraProject

Jump to: navigation, search

Notes on Dan Walsh's SELinux talk. This is incomplete, I was making notes mainly on what interested me and was newer information to share. (quaid)

  • Kernel unstable state with chroots == having different policy in chroot than in kernel memory
  • The /selinux/ filesystem is faked out in the chroot, with the proper policy
    • This lets the packages install correctly
  • New kernel change requested, to allow a file context to be written by the kernel that does not exist in the active running policy
    • Add the end, restorecon is run and it is allowed to put down labels the running kernel does not understand
  • For mock, trick mock in to thinking SELinux is not enforcing.
  • Guest and Xguest:
    • no exec in ~/
      • add tmp/?
    • no setuid applications
      • write specific policy to allow a transition for specific apps, e.g. NetworkManager etc.
    • lock all ports, only allow Firefox or other specific network apps
      • list of ports here is also limited


Open Issues

  • Need .26 kernel in F9 to get in the changes

Goals

  • Do not allow RPM to make changes to the running kernel