[refpolicy] Question: and the policy grows...

[guido@trentalancia.com (Guido Trentalancia)]

Hi Sven !

On Thu, 17/03/2011 at 21.24 +0100, Sven Vermeulen wrote:
> On Thu, Mar 17, 2011 at 08:40:04PM +0100, Guido Trentalancia wrote:
> > There is at least the limit of not having many people on this list
> > compared to most other Linux projects. Perhaps security is considered
> > something boring to the average user/developer. Or even more likely
> > SELinux is still perceived as "difficult to get into" (a documentation
> > issue).
> 
> I think it is more that security is still seen as an expert field, and most
> organizations don't have the people or resources to invest in expert fields
> beyond using what their vendor is offering. And the investments they do is
> more targetting immediate threats like centralized user management, proper
> auditing and such. Mandatory Access Control, although offered on all
> enterprise-grade platforms, is often disregarded as too difficult to master.

I would say most people see security as a very optional, very boring
thing.

It couldn't be otherwise, because (hardening) guidelines such as those
from NSA (for Linux or other OS such Windows) require absolutely no
knowledge about the OS. On Windows, it is really a matter of launching
regedit and a couple of other Microsoft applications and just following
the recommended configuration. On Linux it's just a bit more (editing a
few configuration files maybe). Still many (if not most) people do not
care about investing those 30 minutes...

It's a situation very similar to preventive medicine ("it will never
happen to me").

But I would stop here because perhaps we are getting a bit off-topic
now.

> It is a good thing that RedHat and other (commercial) distributions are
> (starting to) offer SELinux-enabled systems by default. By integrating it
> immediately (and not offering it as an "additional" option) they somewhat
> force organizations to at least understand what it does or is supposed to
> do. By having the non-commercial distributions focus on SELinux more and
> more, this will also create awareness in the community.

Sure.

> Having a working reference policy to start from is an important part here,
> because most community distributions don't have the resources to build off
> general policies that work for the majority of users themselves. I am
> perfectly aware that the reference policy does not entirely do what I would
> expect a policy to do on *my* system, but for a distribution, it is a
> perfect starting point. 

Yes.

> The next step then - once a distribution has at least one policy that is
> working well - is to offer the necessary documentation and help for
> administrators to create and manage their own policies [1]. After all, if a
> distribution only delivers the policy but offers little help to modify or
> install your own, then the distributions' the security administrator and not
> some team in the organization.

I think I got lost in the last sentence. But the documentation you
describe is generic documentation about policy writing. So it's
something that could be written once for everybody (ideally a joint
effort).

My question was more about methods for policy reduction and tightening
(a policy management issue)... Can you think about solutions to that
problem ?

Regards,

Guido