From SELinux Wiki

Contents 1 Userland Development Site 1.1 desired changes to the selinux userspace infrastructure 1.2 Fedora 9 Enhancements 1.3 possible enhancements to other applications

[edit] Userland Development Site

• Userland repository, tracking, wiki The new userland development site.

---

Historical Information Below

[edit] desired changes to the selinux userspace infrastructure

more radical suggestions

• intermediate policy representation (in progress, libpolicyrep)

• explicit symbol hierarchy (hierarchy divorced from symbol name)

• nested conditionals

• refpolicy style interfaces in the proper policy language

• refpolicy tunables in the policy language (to remove most conditionals from final policy)

• policy change access control in libsemanage (in progress, policy server)

• heterogeneous policy support

[edit] Fedora 9 Enhancements

SELinux Policy:

   Add nsplugin for confinement of Firefox Plugins 
     Boolean available for unconfined_t : allow_unconfined_nsplugin_transition
     defaults to off, but I am running flashplugin fine with boolean on.
   Remove separation of home dir labeling based on user prefix.  All home directories are labeled user_home_t or user_mozilla_home_t.  No longer to we differentiate staff_home_t.
   Rewrote basic login user types.  Now we have:
   unconfined_t - Same as before
   staff_t - Needs transitions for all SETUID programs.  Not allowed to run su. Can only become root through sudo.  New confined root domains accessable through sudo.  The idea is this is an administrator account that does not have the root password.  Full Network access.  If a SETUID app is going to be run, you need a transition
   user_t - No su or sudo access.  No way to run processes as root.  No SETUID apps, but full network access.  Certain apps like nsplugin, transitions exist.
   xguest_t - X Windows Login account with no SETUID and Nonetwork.  firefox can reach the network via http ports.  Booleans can turn on and off this access.
   guest_t - No X Windows support, No SETUID No Network.  Least privileged account access, for terminal and ssh accounts.
   Mozilla policy has been rewritten to include three booleans.  No transition, No Homedir access and Full Access.

Policycoreutils

   Audit2allow/Audit2why combined and added boolean support.  Enhancements to sepolgen for better error reporting.
   system-config-selinux
      Better filtering to make it easier to find particular booleans.  Booleans descriptions extracted out of policy and displayed.
      Better filtering for selecting what was locally customized.
   polgengui
      Enhanced to allow creation of users as well as confined processes.  You can now create root admins from all confined domains.  By simply selecting the domains in the gui.

libselinux

   Added audit2why python bindings 

setroubleshoot

   Added catchall_booleans plugin.  So AVC arrival will check all booleans now against the installed policy

xguest package : kiosk account:

   pam_selinux_permit pam module added.  This allows users to login to a system without a password, as long as the selinux is in enforcing mode.  I have just completed updating to make sure you are the only one logged in and all processes killed on log out.
   pam_namespace enhanced to handle temporary file systems for homedir and /tmp.  This allows us to destroy all memory of users when they log out.
   xguest policy described above
   sabayon used for xguest creation of the home dir.

[edit] possible enhancements to other applications

• fastcgi (support interpreted scripts in different domains without the performance hit of pure-cgi mode)

• JBoss/Geronimo (support web applications in separate domains)

• RPM (or some other package manager) supporting SELinux policy in a reasonable way

• SELinux aware database server (in progress, sepostgresql)

• SELinux aware LDAP server
  • SELinux controls on LDAP database updates
  • SELinux user mapping information available via LDAP
  • possibly managing SELinux policy for an enterprise via LDAP server