From Fedora Project Wiki

Revision as of 18:45, 21 June 2008 by Kwade (talk | contribs) (adding categories)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Notes on Dan Walsh's SELinux talk. This is incomplete, I was making notes mainly on what interested me and was newer information to share. (quaid)

  • Kernel unstable state with chroots == having different policy in chroot than in kernel memory
  • The /selinux/ filesystem is faked out in the chroot, with the proper policy
    • This lets the packages install correctly
  • New kernel change requested, to allow a file context to be written by the kernel that does not exist in the active running policy
    • Add the end, restorecon is run and it is allowed to put down labels the running kernel does not understand
  • For mock, trick mock in to thinking SELinux is not enforcing.
  • Guest and Xguest:
    • no exec in ~/
      • add tmp/?
    • no setuid applications
      • write specific policy to allow a transition for specific apps, e.g. NetworkManager etc.
    • lock all ports, only allow Firefox or other specific network apps
      • list of ports here is also limited


Open Issues

  • Need .26 kernel in F9 to get in the changes

Goals

  • Do not allow RPM to make changes to the running kernel
Retrieved from "https://fedoraproject.org/w/index.php?title=SELinux_Talk_FUDCon10&oldid=35746"