[CentOS] SELinux and access across 'similar types'

Daniel J Walsh dwalsh at redhat.com
Tue Jan 10 21:50:41 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/10/2012 04:41 PM, Les Mikesell wrote:
> On Tue, Jan 10, 2012 at 3:26 PM, Daniel J Walsh <dwalsh at redhat.com>
> wrote:
>> 
>> Again, there is nothing that we do that is Vendor specific,
>> Everything we do with SELinux is open source.  We are working to
>> get our stuff upstream.
>> 
>> I have no idea what you are talking about as far as variations
>> in Linux Distributions.  I work regularly with people in Centos,
>> RHEL, gentoo, ubunto, debian, fedora and today even Mandriva.
>> SELinux was just released for android also.  As I tweeted
>> yesterday.
> 
> OK, so the part that breaks things is getting widely shipped.  Are
> the parts that make each specific application work again getting
> pushed upstream into the corresponding projects?
> 
That is not the way it works.  SELinux Reference policy is a database
of rules that govern the default ways application run.   These rules
that have been written for Fedora/RHEL are public and are being moved
upstream.  Different Distributions can choose to use these policies or
write there own.  Out of the Reference Policy you can build your own
version of targeted or MLS policy or you can write your policy from
scratch.

http://fedoraproject.org/wiki/SELinux/Policies
http://oss.tresys.com/projects/refpolicy

We do not ship apache policy with the apache package, so we do not
attempt to get the apache policy upstreamed to the apache package.
This allows different people to write their own policies on how they
want to run apache or they can grab the reference policy version.


The place that SELinux breaks applications is when an application does
something that SELinux did not expect. I wrote a paper and
presentation on the four main causes of SELinux issues.

http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf

http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux4things.odp

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8MsrEACgkQrlYvE4MpobNruQCgj3WNAyM8G98hB3Efo2AwLNDP
/7wAni7kQWcq76hJ4f4ujutlqGX4JsJ4
=m/ck
-----END PGP SIGNATURE-----



More information about the CentOS mailing list