From: guido@trentalancia.com (Guido Trentalancia)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] Question: and the policy grows...
Date: Fri, 18 Mar 2011 00:04:59 +0100 [thread overview]
Message-ID: <1300403099.29107.4.camel@tesla.lan> (raw)
In-Reply-To: <20110317213452.GB6695@siphos.be>
Hi Sven !
On Thu, 17/03/2011 at 22.34 +0100, Sven Vermeulen wrote:
> On Thu, Mar 17, 2011 at 10:08:44PM +0100, Guido Trentalancia wrote:
> > > The next step then - once a distribution has at least one policy that is
> > > working well - is to offer the necessary documentation and help for
> > > administrators to create and manage their own policies [1]. After all, if a
> > > distribution only delivers the policy but offers little help to modify or
> > > install your own, then the distributions' the security administrator and not
> > > some team in the organization.
> >
> > I think I got lost in the last sentence. But the documentation you
> > describe is generic documentation about policy writing. So it's
> > something that could be written once for everybody (ideally a joint
> > effort).
>
> True, but some distributions offer additional tools, methods or packages to
> support administrators with SELinux.
>
> > My question was more about methods for policy reduction and tightening
> > (a policy management issue)... Can you think about solutions to that
> > problem ?
>
> I don't have a solution, but my suggestion would be to auditallow the
> statements you believe are obsolete for a system and thoroughly test the
> system and see if no audits occur.
I do not assume anything. In simpler terms, I'd like to scan (search).
> If you'd like to have the obsoleted ones suggested rather than you having to
> find some, perhaps there is a way to regularly dump the avc cache and after
> some time, correlate the dumps with the policy, informing the developer
> about rules that were potentially never hit during the test.
This is cool !
> Little change in method, same principle.
>
> But honestly, I would hope that software developers for which a SELinux
> policy (module) exists would maintain it as part of their stack, rather than
> rely on people like you to debug, test and suggest updates on the policies.
I do not want or plan to do anything like that. But thanks for your
trust anyway !
Are there any developers actually doing that ?
Regards,
Guido
next prev parent reply other threads:[~2011-03-17 23:04 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-03-17 13:50 [refpolicy] Question: and the policy grows Guido Trentalancia
2011-03-17 14:25 ` Daniel J Walsh
2011-03-17 16:04 ` Guido Trentalancia
2011-03-17 16:44 ` Daniel J Walsh
2011-03-17 17:54 ` Christopher J. PeBenito
2011-03-17 18:34 ` Daniel J Walsh
2011-03-17 19:49 ` Daniel J Walsh
2011-03-18 13:30 ` Christopher J. PeBenito
2011-03-17 20:15 ` Guido Trentalancia
2011-03-18 13:35 ` Christopher J. PeBenito
2011-03-18 15:25 ` Guido Trentalancia
2011-03-17 19:40 ` Guido Trentalancia
2011-03-17 19:55 ` Daniel J Walsh
2011-03-17 20:27 ` Guido Trentalancia
2011-03-18 13:38 ` Christopher J. PeBenito
2011-03-17 20:24 ` Sven Vermeulen
2011-03-17 21:08 ` Guido Trentalancia
2011-03-17 21:34 ` Sven Vermeulen
2011-03-17 23:04 ` Guido Trentalancia [this message]
2011-03-18 13:52 ` Christopher J. PeBenito
2011-03-18 15:20 ` Guido Trentalancia
2011-03-17 23:08 ` Mark Montague
2011-03-18 6:06 ` Sven Vermeulen
2011-03-18 10:19 ` Dominick Grift
2011-03-18 12:31 ` Guido Trentalancia
2011-03-17 22:56 ` Mark Montague
2011-03-18 10:12 ` Dominick Grift
2011-03-18 13:37 ` Stephen Smalley
2011-03-18 15:37 ` Dominick Grift
2011-03-17 23:24 ` SE Linux use - was: " Russell Coker
2011-03-18 0:33 ` Guido Trentalancia
2011-03-18 2:11 ` Jason Axelson
2011-03-18 13:23 ` James Carter
2011-03-18 14:33 ` Russell Coker
2011-03-18 14:57 ` Christopher J. PeBenito
2011-03-18 15:48 ` Guido Trentalancia
2011-03-18 23:40 ` Russell Coker
2011-03-18 15:45 ` Guido Trentalancia
2011-03-18 23:52 ` Russell Coker
2011-03-19 14:37 ` Guido Trentalancia
2011-03-18 14:08 ` Christopher J. PeBenito
2011-03-18 13:45 ` [refpolicy] " Christopher J. PeBenito
2011-03-18 15:09 ` Guido Trentalancia
2011-03-18 17:14 ` [refpolicy] dual mailing list (was Question: and the policy grows...) Guido Trentalancia
2011-03-18 18:40 ` Daniel J Walsh
2011-03-18 19:13 ` Guido Trentalancia
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1300403099.29107.4.camel@tesla.lan \
--to=guido@trentalancia.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.