From: guido@trentalancia.com (Guido Trentalancia)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] Question: and the policy grows...
Date: Thu, 17 Mar 2011 21:27:50 +0100 [thread overview]
Message-ID: <1300393670.31755.24.camel@tesla.lan> (raw)
In-Reply-To: <4D826724.4030908@redhat.com>
On Thu, 17/03/2011 at 15.55 -0400, Daniel J Walsh wrote:
> On 03/17/2011 03:40 PM, Guido Trentalancia wrote:
> >>> > > In any case, we haven't found a solution (or at least a methodology).
> >>> > > The only (obvious) one I can foresee at the moment is periodically
> >>> > > restarting from scratch (i.e. creating a new generation of refpolicy
> >>> > > from scratch every x years). Which is massive work.
> >>> > >
> >> > Yes and going to generate a large amount of errors, since most bugs are
> >> > caused by running apps in different ways.
> >> >
> >>> > > From the Changelog I take that refpolicy started on June 2005. Software
> >>> > > version numbers does not necessarily mean anything, but just to give an
> >>> > > idea, on June 2005, we had the following versions (taken at random):
> >>> > >
> >>> > > kernel 2.6.12 (now 2.6.38)
> >>> > > Linux-PAM 0.79 (now 1.1.3)
> >>> > > gtk+ 2.6.8 (now 3.0)
> >>> > > evolution 2.3.3 (now 2.32.2)
> >>> > > ...
> >> > And refpolicy was an attempt to make all rules == example policy when
> >> > the port happened, so most of the original rules come from Prior to 2002.
> >>> > >
> >>> > > I'd be very happy to hear from others...
> >>> > >
> >>> > > Regards,
> >>> > >
> >>> > > Guido
> >>> > >
> >> > I think if we ever get to the next generation of policy and could start
> >> > removing rules. easily this would help.
> > I didn't get this. What could help ?
> >
>
> Right now removing access is difficult, you really need to be able to
> start with the entire policy and build. If we improved the tool chain,
> you could remove rules. Then people could experiment with removing
> rules and it the system still works, suggest patches that remove allow
> rules.
Trial and error. Can you think of anything else behind that ? Or
otherwise just confirm that anything else is impossible to achieve ?
Because you know, automated trial and error methods are easy, cheap and
usually quite powerful. But human trial and error can be quite expensive
in practice.
> Imagine you could write policy module that said
>
> remove application_domain user_tty_device_t:chr_file open;
>
> [SNIP]
Yes. I get the point. The operator "remove" always having precedence
over "add". Hopefully we'll have that one day. In the end it shouldn't
be too hard to implement...
You found 1 methodology.
Regards,
Guido
next prev parent reply other threads:[~2011-03-17 20:27 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-03-17 13:50 [refpolicy] Question: and the policy grows Guido Trentalancia
2011-03-17 14:25 ` Daniel J Walsh
2011-03-17 16:04 ` Guido Trentalancia
2011-03-17 16:44 ` Daniel J Walsh
2011-03-17 17:54 ` Christopher J. PeBenito
2011-03-17 18:34 ` Daniel J Walsh
2011-03-17 19:49 ` Daniel J Walsh
2011-03-18 13:30 ` Christopher J. PeBenito
2011-03-17 20:15 ` Guido Trentalancia
2011-03-18 13:35 ` Christopher J. PeBenito
2011-03-18 15:25 ` Guido Trentalancia
2011-03-17 19:40 ` Guido Trentalancia
2011-03-17 19:55 ` Daniel J Walsh
2011-03-17 20:27 ` Guido Trentalancia [this message]
2011-03-18 13:38 ` Christopher J. PeBenito
2011-03-17 20:24 ` Sven Vermeulen
2011-03-17 21:08 ` Guido Trentalancia
2011-03-17 21:34 ` Sven Vermeulen
2011-03-17 23:04 ` Guido Trentalancia
2011-03-18 13:52 ` Christopher J. PeBenito
2011-03-18 15:20 ` Guido Trentalancia
2011-03-17 23:08 ` Mark Montague
2011-03-18 6:06 ` Sven Vermeulen
2011-03-18 10:19 ` Dominick Grift
2011-03-18 12:31 ` Guido Trentalancia
2011-03-17 22:56 ` Mark Montague
2011-03-18 10:12 ` Dominick Grift
2011-03-18 13:37 ` Stephen Smalley
2011-03-18 15:37 ` Dominick Grift
2011-03-17 23:24 ` SE Linux use - was: " Russell Coker
2011-03-18 0:33 ` Guido Trentalancia
2011-03-18 2:11 ` Jason Axelson
2011-03-18 13:23 ` James Carter
2011-03-18 14:33 ` Russell Coker
2011-03-18 14:57 ` Christopher J. PeBenito
2011-03-18 15:48 ` Guido Trentalancia
2011-03-18 23:40 ` Russell Coker
2011-03-18 15:45 ` Guido Trentalancia
2011-03-18 23:52 ` Russell Coker
2011-03-19 14:37 ` Guido Trentalancia
2011-03-18 14:08 ` Christopher J. PeBenito
2011-03-18 13:45 ` [refpolicy] " Christopher J. PeBenito
2011-03-18 15:09 ` Guido Trentalancia
2011-03-18 17:14 ` [refpolicy] dual mailing list (was Question: and the policy grows...) Guido Trentalancia
2011-03-18 18:40 ` Daniel J Walsh
2011-03-18 19:13 ` Guido Trentalancia
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1300393670.31755.24.camel@tesla.lan \
--to=guido@trentalancia.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.