Skip top menus
National Security Agency and Central Security Service with agency logos.NSA/CSS Memorial Wall
Home    About NSA    Research    Business    Careers    Public Info    History
Introduction to Research    Security-Enhanced Linux    Information Assurance Research    Technology Transfer    Publications    Related Links

>>SELinux Mailing List: by thread

Search
What's new?
Contents
Overview
What's New
Frequently Asked Questions
Background
Documentation
License
Download
Participating
Mail List
Archive Summary
Archive by Thread
Archive by Author
Archive by Date
Archive by Subject
Remaining Work
Contributors
Related Work
Press Releases
  • Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
From: Justin R. Smith <jsmith_at_mcs.drexel.edu>
subject: Vanilla unix policy
Date: 10 Oct 2001 12:50:44 -0400
  • This message: [ Message body ]
  • Next message: Jon Crowley: "Re: Security policy analysis"
  • Previous message: Frank Mayer: "RE: Security policy analysis"
  • Next in thread: Stephen Smalley: "Re: Vanilla unix policy"
  • Reply: Stephen Smalley: "Re: Vanilla unix policy"


Some thoughts:

  1. SeLinux implements a very nice GENERAL scripting language for security policies.
  2. Is there a simple policy that merely duplicates the one that implicitly exists in Linux already (i.e., user, group ownership and permissions)?

My thoughts are that one could begin with this and tighten it up one step at a time. This might be easier than trying to create a very fine-grained security policy from the outset.
--

--

You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.

From: Stephen Smalley <sds_at_tislabs.com>
subject: Re: Vanilla unix policy
Date: Wed, 10 Oct 2001 15:25:52 -0400 (EDT)
  • This message: [ Message body ]
  • Next message: ipv6: "Re: Security policy analysis"
  • Previous message: Stephen Smalley: "RE: Security policy analysis"
  • In reply to: Justin R. Smith: "Vanilla unix policy"

On 10 Oct 2001, Justin R. Smith wrote:

> 2. Is there a simple policy that merely duplicates the one that
> implicitly exists in Linux already (i.e., user, group ownership and
> permissions)?

The SELinux access controls are orthogonal to the existing Linux access controls, so there isn't any reason to try to emulate the Linux access controls in the SELinux policy. The SELinux access controls can be used to further restrict access based on the system security policy, but they do not replace the existing controls. With the example security server, you can provide the "simple policy" that you describe by only using a single role, domain, and type for all subjects and objects and granting all permissions. Or you can use the trivial security server, although we haven't been maintaining it lately. 

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
  • Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

This archive was generated by hypermail 2.2.0 on Wed 11 Jun 2008 - 08:10:54 EDT

Information Assurance | Signals & Intelligence        Links | Accessibility | Privacy & Security