2008-09-22 20:19:09

by konrad.azzopardi

[permalink] [raw]
Subject: [refpolicy] SELinux policy

Hi all,

I am interested as part of my Masters Degree in Information Security
to contribute in some way by writing a policy for some application. I
am still in research phase and any suggestions would be very helpful.

I thank you in advance
Konrad


2008-09-22 21:00:47

by domg472

[permalink] [raw]
Subject: [refpolicy] SELinux policy

Writing a policy is not really that hard to do. The book selinux by
example goes into it, although it is bit old. Tresys reference policy
is full of examples and can help you get started as well. Also google
for SElinux might yield interesting results.

What is more interesting in my view is implement a access control
extension to some program for example apache or another project.
dwalsh recently talked about some of this:

http://danwalsh.livejournal.com/23118.html

nsa.gov website has documentation on how to implement ACE for
applications. existing examples are XACE , SEBDUS, nscd , sepostgesql
etc

I will gladly answer any questions i can about writing policy. But again
writing a policy is, in my view, not really ambitious for a master
degree project.

Many of us you can also find on IRC.freenode.org in either #selinux ,
#fedora-selinux or both. Stop by and have a chat if you want to have a
talk about writing policy.





On Mon, 2008-09-22 at 22:19 +0200, Konrad Azzopardi wrote:
> Hi all,
>
> I am interested as part of my Masters Degree in Information Security
> to contribute in some way by writing a policy for some application. I
> am still in research phase and any suggestions would be very helpful.
>
> I thank you in advance
> Konrad
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Dominick Grift <[email protected]>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20080922/4d9a44c7/attachment.bin

2008-09-23 23:50:50

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] SELinux policy

On Tuesday 23 September 2008 07:00, Dominick Grift <[email protected]> wrote:
> What is more interesting in my view is implement a access control
> extension to some program for example apache or another project.
> dwalsh recently talked about some of this:
>
> http://danwalsh.livejournal.com/23118.html
>
> nsa.gov website has documentation on how to implement ACE for
> applications. existing examples are XACE , SEBDUS, nscd , sepostgesql
> etc

One possibility is modifying Exim to use multiple domains (it already
re-exec's itself). The author has agreed in concept to accept some patches
in this regard. I would be happy to advise on how to go about this.

--
russell at coker.com.au
http://etbe.coker.com.au/ My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development