Fedora Linux Support Community & Resources Center

Home Forums Posting Rules Linux Help Fedora Set-Up Guides Ask Fedora Fedora Project
Go Back   FedoraForum.org > Fedora 17/18 > Security and Privacy
Reload this Page Very strict SELinux for application
FedoraForum Search
Forgot Password? Join Us!
Register All Albums FAQ Search Today's Posts Mark Forums Read

Security and Privacy Sadly, malware, spyware, hackers and privacy threats abound in today's world. Let's be paranoid and secure our penguins, and slam the doors on privacy exploits.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 1st November 2012, 04:22 PM
mmehrwald Offline
Registered User
  
Join Date: May 2008
Posts: 46
linuxfirefox
Very strict SELinux for application
Hi,

I don't know very much about SELinux so I need your tips how to achieve what I want to do. I don't need a solution but hints where to start and what to read.

I want to have an application which is allowed to read/write a config file, update the system (using yum) and updating itself and has access to some of the hardware. Nothing else should be possible. The application will be started on bootup and closing it will shutdown the hole system. There should be no user or at least not more users then needed to boot the system and run the app.

How do I know which system services (e.g. log) need which permissions and how can I make sure that nothing else has access to anything except of the few things my app needs?

Please send me any kind of links and ideas you have.
Reply With Quote
  #2  
Old 1st November 2012, 06:48 PM
domg472 Offline
SELinux Contributor
  
Join Date: May 2008
Posts: 621
linuxfirefox
Re: Very strict SELinux for application
By testing your policy module.

You start with a basic policy module that takes care of creating types for important objects and subjects that are part of your app, then you make the types usable. Then you add file context specifications for the files that have a private type so that the selinux knows how the files should be labeled

Then you take care of file and domain type transitions that you know of. You also take care of rules related to role base access control (e.g. allow a role access to the process types)

Then its basically testing in permissive mode, analyzing the AVC denials that you will be seeing ( as SELinux block all access by default and you haven't added much if any rules to allow access yet)

Then based on the avc denials you make security decisions and extend your policy module. Repeat untill all works as desired.

http://danwalsh.livejournal.com/
https://docs.fedoraproject.org/en-US...ined_Services/
https://docs.fedoraproject.org/en-US...nhanced_Linux/
selinuxbyexample.com
selinuxproject.org
http://www.freetechbooks.com/the-sel...ions-t785.html
http://oss.tresys.com/projects/refpo.../Documentation
http://git.fedorahosted.org/cgit/selinux-policy.git/
https://www.youtube.com/user/domg472...e=results_main
https://www.nsa.gov/research/selinux/docs.shtml
http://marc.info/?l=selinux&r=1&w=2
__________________
Come join us on #fedora-selinux on irc.freenode.org
http://docs.fedoraproject.org/selinu...ide/f10/en-US/
Last edited by domg472; 1st November 2012 at 06:52 PM.
Reply With Quote
Reply

Tags
application, selinux, strict

« Previous Thread | Next Thread »
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
How to disable strict password checking? RobG Security and Privacy 6 16th July 2009 02:47 PM
Can't run application after yum update (how to configure SELinux policy?) Coenos Using Fedora 1 5th April 2006 10:17 AM
Kernel Panic error on boot due to selinux policy strict ! Tuxic Using Fedora 3 19th February 2006 06:09 PM


Current GMT-time: 02:59 (Thursday, 20-06-2013)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.
Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

 FedoraForum is Powered by RedHat