SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Research Skip Research Menus Research Menu Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List RE: SELinux This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] From: David Caplan <dac_at_tresys.com> Date: Thu, 21 Feb 2002 12:33:46 -0500 I would also add that one of the most valuable things to look at is the log messages. They make it real easy to find things that you've missed. Of course, just because you see a deny in the log doesn't mean you necessarily want to allow it. -----Original Message----- From: owner-selinux@tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov]On Behalf Of Shaun Savage Sent: Thursday, February 21, 2002 12:27 AM To: selinux@tycho.nsa.gov Subject: SELinux I have been customizing the policy now for about three months. If you think of writing new policy as designing a state machine thing are easier. the questions you need to ask is 1> How do you get to the execution of the program. What domain should you allow to start this program? 2> What protections are required? This is the biggest issue. Is there a log file? Does the program acceses any sockets? Is there user communcation? Detail knowledge of the application is needed. I tend to be paranoid so I create too many sub domains and make the policy difficult. 3> What programs are allowed to access this application data? Read the policy/macros.te file The linux/security/selinux/include/flask/*.h av_permissions.h gives the bit pattern of all the permissions av_perm_to_string.h & common_perm_to_string.h is some of the string permissions class_to_string.h is most of the objects flask.h gives the object classes The main thing is to understand the application. Know what files, sockets, are being accesed and how. I do agree that there needs to be a more documentation, but if there isn't the you can earn big dollars if you know it, I hope ;-). Shaun Savage -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Thu 21 Feb 2002 - 12:36:41 EST This message: [ Message body ] Next message: Trent Jaeger: "Re: Security Policy Analysis Tools status" Previous message: Stephen Smalley: "Re: SELinux" In reply to: Shaun Savage: "SELinux" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom