From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from jazzhorn.ncsc.mil (mummy.ncsc.mil [144.51.88.129]) by tarius.tycho.ncsc.mil (8.13.1/8.13.1) with ESMTP id k8LGXef1017946 for ; Thu, 21 Sep 2006 12:33:40 -0400 Received: from mx1.redhat.com (jazzhorn.ncsc.mil [144.51.5.9]) by jazzhorn.ncsc.mil (8.12.10/8.12.10) with ESMTP id k8LGXAcD027663 for ; Thu, 21 Sep 2006 16:33:10 GMT Subject: Re: Latest diffs From: Karl MacMillan To: "Christopher J. PeBenito" Cc: Daniel J Walsh , SE Linux In-Reply-To: <1158849263.3920.63.camel@sgc.columbia.tresys.com> References: <45116881.3060406@redhat.com> <1158846352.3920.33.camel@sgc.columbia.tresys.com> <45129C7F.6090801@redhat.com> <1158849263.3920.63.camel@sgc.columbia.tresys.com> Content-Type: text/plain Date: Thu, 21 Sep 2006 12:33:36 -0400 Message-Id: <1158856416.28640.41.camel@localhost.localdomain> Mime-Version: 1.0 Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov On Thu, 2006-09-21 at 10:34 -0400, Christopher J. PeBenito wrote: > On Thu, 2006-09-21 at 10:06 -0400, Daniel J Walsh wrote: > > Christopher J. PeBenito wrote: > > > On Wed, 2006-09-20 at 12:12 -0400, Daniel J Walsh wrote: > > > > > > I haven't looked at the patch but I have some initial reactions from > > > your description: > > > > > > > > >> http://people.redhat.com/dwalsh/SELinux/policy.diff > > >> > > >> Changed to allow 1024 categories. > > >> > > > > > > Why do we need this many? This isn't even an incremental change up to > > > something like 384 or 512. > > > > > > > > MLS People have past 256 and wanted a big jump to prevent hitting this > > problem again. I put it in for both to prevent confusion between MCS/MLS > > Ok, we'll go with 1024, but that's where I draw the line; I consider any > higher to be a corner case. Anyone that needs more than that will have > to build their own custom policy. > We have also discussed reserving category ranges for different purposes - e.g., categories local to a machine and categories managed across a network. With that usage model higher numbers start looking more reasonable quickly. What is the objection to the higher numbers of categories? It shouldn't have a large impact on policy size I wouldn't think. If you are trying to prevent misuse I think that is a losing battle. We should provide tools that can be used reasonably not prevent potentially legitimate uses because some people are clueless. Karl -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.