The Fedora Core 5 SELinux FAQ is now available at http://fedora.redhat.com/docs/selinux-faq-fc5. Let me know if you have any corrections or suggestions. Also, check out the Fedora SELinux wiki at http://fedoraproject.org/wiki/SELinux, which includes a section for adding proposed additions to the FAQ.
Thanks, Chad
On Tue, 2006-03-28 at 20:45 -0500, Chad Sellers wrote:
The Fedora Core 5 SELinux FAQ is now available at http://fedora.redhat.com/docs/selinux-faq-fc5. Let me know if you have any corrections or suggestions. Also, check out the Fedora SELinux wiki at http://fedoraproject.org/wiki/SELinux, which includes a section for adding proposed additions to the FAQ.
Thanks, Chad
Thanks Chad. Good work.
Rahul
On 3/28/06, Chad Sellers csellers@tresys.com wrote:
The Fedora Core 5 SELinux FAQ is now available at http://fedora.redhat.com/docs/selinux-faq-fc5. Let me know if you have any corrections or suggestions. Also, check out the Fedora SELinux wiki at http://fedoraproject.org/wiki/SELinux, which includes a section for adding proposed additions to the FAQ.
Cool and thanks for all the work here.
I am trying to go over the questions in here one by one.. as I need to work out what could be done for some systems where I work. I have one question so far:
Q: What about the strict policy? Does it even work? [From the list at release time.. I thought strict policy was broken for Core.]
Q: What is the Reference Policy?
[I found I am really confused by this answer.. if my muddled brain is getting this correct.. the Reference Policy is the base policy that the Fedora Core 5 targeted, strict, mls policies are based off of the Reference Policy.. or are there 2 sets of policies shipped with Fedora Core 5 some of which are based off of the old set and the others by the new set.]
Again thanks.. I will try to send some stuff as I go through this.
-- Stephen J Smoogen. CSIRT/Linux System Administrator
On Wed, 2006-03-29 at 10:19 -0700, Stephen J. Smoogen wrote:
I am trying to go over the questions in here one by one.. as I need to work out what could be done for some systems where I work. I have one question so far:
Q: What about the strict policy? Does it even work? [From the list at release time.. I thought strict policy was broken for Core.]
Yes, -strict in FC5 is broken at the moment, although there is ongoing work to resolve the issues needed to get it working. The breakage isn't really anything to do with -strict per se, just fully modularized policy (breaking down even the base policy into lots of individual modules).
Q: What is the Reference Policy?
[I found I am really confused by this answer.. if my muddled brain is getting this correct.. the Reference Policy is the base policy that the Fedora Core 5 targeted, strict, mls policies are based off of the Reference Policy.. or are there 2 sets of policies shipped with Fedora Core 5 some of which are based off of the old set and the others by the new set.]
Reference policy is the new source policy tree from which all policy types (-strict, -targeted, -mls) are being built. Previously, they were being built from the NSA example policy source tree.
On Wed, 2006-03-29 at 12:53 -0500, Stephen Smalley wrote:
Q: What is the Reference Policy?
[I found I am really confused by this answer.. if my muddled brain is getting this correct.. the Reference Policy is the base policy that the Fedora Core 5 targeted, strict, mls policies are based off of the Reference Policy.. or are there 2 sets of policies shipped with Fedora Core 5 some of which are based off of the old set and the others by the new set.]
Reference policy is the new source policy tree from which all policy types (-strict, -targeted, -mls) are being built. Previously, they were being built from the NSA example policy source tree.
I'm guessing that you were confused by this statement from the FAQ: "Fedora policies at version 1.x are based on the traditional example policy. Version 2.x policies (as used in Fedora Core 5) are based on the Reference Policy."
This doesn't mean that there are two branches of policy (1.x and 2.x) being carried in FC5; FC5 only has version 2.x.y policies based on refpolicy. The above statement from the FAQ just means that when the developers switched from using example policy to reference policy as their source base during development of FC5, they changed the package version from being a 1.x series to being a 2.x series to signify that a major change had occurred. So when you see a policy package that has a 1.x version, you know you are dealing with a policy built from example policy (as in FC4, RHEL4, FC3), and when you see a 2.x version, you know you are dealing with a policy built from refpolicy (as in FC5 and everything going forward).
selinux@lists.fedoraproject.org