|Main Archive Page > Month Archives > fedora-selinux archives|
-----BEGIN PGP SIGNED MESSAGE-----
On 12/09/2010 11:48 AM, Roberto Sassu wrote:
> Hi all
> i want to write a policy for encrypted files.
> In order to do this i created some new types which have the
> name of the correspondent type used for non encrypted files,
> with the prefix 'encrypted_'.
> Then i need to define the policy for applications that need to
> use these new types which is very similar to this defined
> for original types, except that i want to take rules only
> for the 'dir' and 'file' class.
And what are you trying to achieve with that with regard to security?
> What this the best way to define the policy? Do i have
> to duplicate all required interfaces/templates or can i reuse
> the existent code, for instance by adding a new parameter?
> I will show an example of what i'm trying to define.
> New type: encrypted_etc_t;
> Example interface:
> type etc_t;
> allow $1 etc_t:dir list_dir_perms;
> Added interface:
> type encrypted_etc_t;
> allow $1 encrypted_etc_t:dir list_dir_perms;
The above examples are exactly the same. In that case you would not even
need to create anything new. Also why would you want to create this
whole stuff new just to be able to exclude classes other then dir and
file? How is that beneficial for the security point of view to you?
Comments i made above asside: it does not make to many difference
(afaict) whether you extend existing interfaces or create new ones. if
it works, it works.
> selinux mailing list
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
-- selinux mailing list email@example.com https://admin.fedoraproject.org/mailman/listinfo/selinux