Re: Sample SELinux policy that's equivalent to standard root?

On Tue, Sep 23, 2003 at 05:16:27PM -0400, Inger, Slav (S.B.) wrote:
> I hope this is the right mailing list to ask this question. Here's my
> setup: a freshly compiled Linux 2.6.0-test3-selinux1, using a default
> policy supplied in selinux-usr/policy. What I would like to do is,
> instead of starting with the most restrictive mode and easing my way
> to less restrictive, I'd like to start with a relaxed root access
> policy (i.e. start with root as "God" even in enforced mode, as is the
> case with standard Linux) and tighten up from there. So my question
> is, does anyone know where I could get the configs for a policy with
> root rights equivalent to that on a standard Linux system? TIA.

Essientially the simplist and least restrictive policy would be:

• all process run with the one domain
• all files, sockets, have the one type
• this one domain is allowed full access to this one type with any operation.

Yes, this would be simple, but I don't think it is what you want.

I think you would end up "reinventing the wheel" and creating a policy very similar to Russell's.

-- 
Brian May <bam@snoopy.apana.org.au>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.