SELinux Talk FUDCon10

Notes on Dan Walsh's SELinux talk. This is incomplete, I was making notes mainly on what interested me and was newer information to share. (quaid)


 * Kernel unstable state with chroots == having different policy in chroot than in kernel memory
 * The /selinux/ filesystem is faked out in the chroot, with the proper policy
 * This lets the packages install correctly
 * New kernel change requested, to allow a file context to be written by the kernel that does not exist in the active running policy
 * Add the end, restorecon is run and it is allowed to put down labels the running kernel does not understand
 * For mock, trick mock in to thinking SELinux is not enforcing.
 * Guest and Xguest:
 * no exec in ~/
 * add tmp/?
 * no setuid applications
 * write specific policy to allow a transition for specific apps, e.g. NetworkManager etc.
 * lock all ports, only allow Firefox or other specific network apps
 * list of ports here is also limited

Open Issues

 * Need .26 kernel in F9 to get in the changes

Goals

 * Do not allow RPM to make changes to the running kernel