Request for multiple mailing lists

Request for multiple mailing lists

[Vikram Ambrose]

The SE Linux <selinux@tycho.nsa.gov> mailing list is being cluttered 
with non selinux related material.

Especially concerning refpolicy. And there is no set fast term used for 
filtering such content, and needless to say a waste of bandwidth.

The SELinux list is not a place for non-SELinux maintainers, like Tresys 
to discuss their policies within themselves. Would it be alright for me 
and the other developers in my company to use the SELinux list to 
discuss our policies? Or the next company that decides to adopt SELinux? 
RedHat goes as far as to using the SELinux list as a communication 
channel with Tresys. Unless there has been some agreement made between 
the SELinux gatekeepers (NSA?) , Tresys and Redhat, I find this a misuse 
of the mailing list.

In the last 4 months, there have only been a handful of unique threads 
concerning SELinux. A few by Stepehen, Eric, and myself. Everything else 
is policy related.  With a total of 800 odd messages in this time frame, 
its quite clear the policy discussion is cluttering the list. As more 
and more people begin to adopt SELinux and face the battles of SELinux 
integration, the userspace topic will become increasingly popular.

As I see it, the current list should be split into 3.

1. selinux-kernel
    This would be a very low volume list. .Perhaps even with special 
clearance to address security holes and concerns.
2. selinux-userspace
    This list would deal with userspace tools, wrappers and other non 
kernel related material. Whether it be NSA's userspace tools or support 
for 3rd party applications being compiled to be selinux-aware using 
libselinux. This list is very important, if not the most important of 
the three.
3. selinux-policy
    This list will deal with policies. A good place for Administrators 
and policy developers to discuss the creation, debugging and use of 
various policies. This as it stands would have the highest volume. 
Nevertheless as suggested by Grift Dominick on #selinux, a forum would 
be an even better place to discuss policies. Repository of ideas, 
designs and development dedicated to policies. A forum for the 
Administrator and Policy Developer.

Without this breakdown, the selinux list would be analogous to people 
talking about GNU and C programming on lkml.


Vikram.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Request for multiple mailing lists

[Casey Schaufler]

Vikram Ambrose wrote:
> The SE Linux <selinux@tycho.nsa.gov> mailing list is being cluttered 
> with non selinux related material.
>
> Especially concerning refpolicy. And there is no set fast term used 
> for filtering such content, and needless to say a waste of bandwidth.
>

SELinux without policy is like a book without pages. Think of
the reference policy as the pages of the Old Testament.

> The SELinux list is not a place for non-SELinux maintainers, like 
> Tresys to discuss their policies within themselves. Would it be 
> alright for me and the other developers in my company to use the 
> SELinux list to discuss our policies?

Well I think so. It's kind of pointless to have a loadable policy if
everyone always uses the same one now, isn't it?

> Or the next company that decides to adopt SELinux?

You bet. Any issues that arise from any policy should be discussed here.
The basic underlying mechanisms of SELinux have changed more in the past
couple years more in support of policy desires and/or issues than for
any other reason (best I can tell anyhow).

> RedHat goes as far as to using the SELinux list as a communication 
> channel with Tresys. Unless there has been some agreement made between 
> the SELinux gatekeepers (NSA?) , Tresys and Redhat, I find this a 
> misuse of the mailing list.
>
> In the last 4 months, there have only been a handful of unique threads 
> concerning SELinux. A few by Stepehen, Eric, and myself. Everything 
> else is policy related.  With a total of 800 odd messages in this time 
> frame, its quite clear the policy discussion is cluttering the list. 
> As more and more people begin to adopt SELinux and face the battles of 
> SELinux integration, the userspace topic will become increasingly 
> popular.
>

Policy postings are prevalent because policy is where the flexibility of
SELinux lies.

> As I see it, the current list should be split into 3.
>
> 1. selinux-kernel
>    This would be a very low volume list. .Perhaps even with special 
> clearance to address security holes and concerns.

Please, no restricted lists. This is Open Source, after all.

> 2. selinux-userspace
>    This list would deal with userspace tools, wrappers and other non 
> kernel related material. Whether it be NSA's userspace tools or 
> support for 3rd party applications being compiled to be selinux-aware 
> using libselinux. This list is very important, if not the most 
> important of the three.

I could agree if the tool chain, applications, and runtime were not
so tightly integrated with and dependent on the policy.

> 3. selinux-policy
>    This list will deal with policies. A good place for Administrators 
> and policy developers to discuss the creation, debugging and use of 
> various policies. This as it stands would have the highest volume. 
> Nevertheless as suggested by Grift Dominick on #selinux, a forum would 
> be an even better place to discuss policies. Repository of ideas, 
> designs and development dedicated to policies. A forum for the 
> Administrator and Policy Developer.

The policy feeds into the tools which feed back into the policies.
The bulk of the tools are there to deal with policy, so I don't see
them being reasonably separable.

> Without this breakdown, the selinux list would be analogous to people 
> talking about GNU and C programming on lkml.
Which is something that happens from time to time. For good or ill
SELinux is a system, not a just kernel component. Anyone who is serious
about using or even monitoring what goes on with SELinux would need
to watch all three of the proposed lists to make sense of what's
going on.


That is of course the view from over here.

Thank you.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Request for multiple mailing lists

[Stanley A. Klein]

However, this from a long time list lurker:  It might be a good idea to
add a digest version to reduce the number of individual emails that come
to list members.


Stan Klein



On Thu, August 7, 2008 1:47 pm, Casey Schaufler wrote:
> Vikram Ambrose wrote:
>> The SE Linux <selinux@tycho.nsa.gov> mailing list is being cluttered
>> with non selinux related material.
>>
>> Especially concerning refpolicy. And there is no set fast term used
>> for filtering such content, and needless to say a waste of bandwidth.
>>
>
> SELinux without policy is like a book without pages. Think of
> the reference policy as the pages of the Old Testament.
>
>> The SELinux list is not a place for non-SELinux maintainers, like
>> Tresys to discuss their policies within themselves. Would it be
>> alright for me and the other developers in my company to use the
>> SELinux list to discuss our policies?
>
> Well I think so. It's kind of pointless to have a loadable policy if
> everyone always uses the same one now, isn't it?
>
>> Or the next company that decides to adopt SELinux?
>
> You bet. Any issues that arise from any policy should be discussed here.
> The basic underlying mechanisms of SELinux have changed more in the past
> couple years more in support of policy desires and/or issues than for
> any other reason (best I can tell anyhow).
>
>> RedHat goes as far as to using the SELinux list as a communication
>> channel with Tresys. Unless there has been some agreement made between
>> the SELinux gatekeepers (NSA?) , Tresys and Redhat, I find this a
>> misuse of the mailing list.
>>
>> In the last 4 months, there have only been a handful of unique threads
>> concerning SELinux. A few by Stepehen, Eric, and myself. Everything
>> else is policy related.  With a total of 800 odd messages in this time
>> frame, its quite clear the policy discussion is cluttering the list.
>> As more and more people begin to adopt SELinux and face the battles of
>> SELinux integration, the userspace topic will become increasingly
>> popular.
>>
>
> Policy postings are prevalent because policy is where the flexibility of
> SELinux lies.
>
>> As I see it, the current list should be split into 3.
>>
>> 1. selinux-kernel
>>    This would be a very low volume list. .Perhaps even with special
>> clearance to address security holes and concerns.
>
> Please, no restricted lists. This is Open Source, after all.
>
>> 2. selinux-userspace
>>    This list would deal with userspace tools, wrappers and other non
>> kernel related material. Whether it be NSA's userspace tools or
>> support for 3rd party applications being compiled to be selinux-aware
>> using libselinux. This list is very important, if not the most
>> important of the three.
>
> I could agree if the tool chain, applications, and runtime were not
> so tightly integrated with and dependent on the policy.
>
>> 3. selinux-policy
>>    This list will deal with policies. A good place for Administrators
>> and policy developers to discuss the creation, debugging and use of
>> various policies. This as it stands would have the highest volume.
>> Nevertheless as suggested by Grift Dominick on #selinux, a forum would
>> be an even better place to discuss policies. Repository of ideas,
>> designs and development dedicated to policies. A forum for the
>> Administrator and Policy Developer.
>
> The policy feeds into the tools which feed back into the policies.
> The bulk of the tools are there to deal with policy, so I don't see
> them being reasonably separable.
>
>> Without this breakdown, the selinux list would be analogous to people
>> talking about GNU and C programming on lkml.
> Which is something that happens from time to time. For good or ill
> SELinux is a system, not a just kernel component. Anyone who is serious
> about using or even monitoring what goes on with SELinux would need
> to watch all three of the proposed lists to make sense of what's
> going on.
>
>
> That is of course the view from over here.
>
> Thank you.
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.
>


-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Request for multiple mailing lists

[Russell Coker]

On Friday 08 August 2008 03:47, Casey Schaufler <casey@schaufler-ca.com> 
wrote:
> SELinux without policy is like a book without pages. Think of
> the reference policy as the pages of the Old Testament.

http://en.wikipedia.org/wiki/Eisegesis

The problem with such analogies is that SE Linux policy is designed to be 
unambiguous.  See the above URL for details of the issue.

-- 
russell@coker.com.au
http://etbe.coker.com.au/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Request for multiple mailing lists

[Casey Schaufler]

Russell Coker wrote:
> On Friday 08 August 2008 03:47, Casey Schaufler <casey@schaufler-ca.com> 
> wrote:
>   
>> SELinux without policy is like a book without pages. Think of
>> the reference policy as the pages of the Old Testament.
>>     
>
> http://en.wikipedia.org/wiki/Eisegesis
>
> The problem with such analogies is that SE Linux policy is designed to be 
> unambiguous.  See the above URL for details of the issue

I did not mean to start a religious argument. Use any of these
substitutions for "the Old Testament" that you prefer:

   "Webster's Unabridged Dictionary"
   "the US Tax code"
   "the NFL rule book"

Any text that is definitive, large, and technically readable
by a human being will do.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Request for multiple mailing lists

[Andy Warner]

[-- Attachment #1: Type: text/plain, Size: 573 bytes --]



Russell Coker wrote:
> On Friday 08 August 2008 03:47, Casey Schaufler <casey@schaufler-ca.com> 
> wrote:
>   
>> SELinux without policy is like a book without pages. Think of
>> the reference policy as the pages of the Old Testament.
>>     
>
> http://en.wikipedia.org/wiki/Eisegesis
>
> The problem with such analogies is that SE Linux policy is designed to be 
> unambiguous.  See the above URL for details of the issue.
>
>   
Is that supposed to be funny or just an great example of someone posting 
way off topic demonstrating the need for multiple mailing lists?

[-- Attachment #2: Type: text/html, Size: 1161 bytes --]

Re: Request for multiple mailing lists

[Vesa-Matti J Kari]

Hello,

On Fri, 8 Aug 2008, Andy Warner wrote:

> Russell Coker wrote:
> > On Friday 08 August 2008 03:47, Casey Schaufler <casey@schaufler-ca.com>
> > wrote:
> >
> > > SELinux without policy is like a book without pages. Think of
> > > the reference policy as the pages of the Old Testament.
> > >
> >
> > http://en.wikipedia.org/wiki/Eisegesis
> >
> > The problem with such analogies is that SE Linux policy is designed to be
> > unambiguous.  See the above URL for details of the issue.
> >
> >
> Is that supposed to be funny or just an great example of someone posting way
> off topic demonstrating the need for multiple mailing lists?

There is nothing inherently funny with being logical and demanding
precision. Russell Coker's comment was quite good and to the point. You
should not compare SELinux policies, which are clear and precise, with
ancient mythology, and expect that everyone buys it. This world is full
of so-called Holy Books, after all.

This list should focus on SELinux issues.

Best regards,
vmk
-- 
************************************************************************
               Tietotekniikkaosasto / Helsingin yliopisto
                 IT Department / University of Helsinki
************************************************************************

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Request for multiple mailing lists

[Andy Warner]

[-- Attachment #1: Type: text/plain, Size: 1246 bytes --]



Vesa-Matti J Kari wrote:
> Hello,
>
> On Fri, 8 Aug 2008, Andy Warner wrote:
>
>   
>> Russell Coker wrote:
>>     
>>> On Friday 08 August 2008 03:47, Casey Schaufler <casey@schaufler-ca.com>
>>> wrote:
>>>
>>>       
>>>> SELinux without policy is like a book without pages. Think of
>>>> the reference policy as the pages of the Old Testament.
>>>>
>>>>         
>>> http://en.wikipedia.org/wiki/Eisegesis
>>>
>>> The problem with such analogies is that SE Linux policy is designed to be
>>> unambiguous.  See the above URL for details of the issue.
>>>
>>>
>>>       
>> Is that supposed to be funny or just an great example of someone posting way
>> off topic demonstrating the need for multiple mailing lists?
>>     
>
> There is nothing inherently funny with being logical and demanding
> precision. Russell Coker's comment was quite good and to the point. You
> should not compare SELinux policies, which are clear and precise, with
> ancient mythology, and expect that everyone buys it. This world is full
> of so-called Holy Books, after all.
>
> This list should focus on SELinux issues.
>
> Best regards,
> vmk
>   
Didn't realize the NSA was sponsoring a list for voicing religious 
bigotries. Or is that also an "SELinux issue?"

[-- Attachment #2: Type: text/html, Size: 1954 bytes --]

Re: Request for multiple mailing lists

[Vesa-Matti J Kari]

Hello,

On Fri, 8 Aug 2008, Andy Warner wrote:

> Didn't realize the NSA was sponsoring a list for voicing religious bigotries.

The mighty NSA has little or nothing to do with this issue.

The point that is sometimes missed is that not all people are religious,
or if they are, they do not necessarily follow the same sect, and hence
people should think twice before asking anyone to compare, e.g. a SELinux
policy with the Old Testament. Or with the Quran. Or with the Vedas.

Why promote your own ideology on a list that should focus on mutual
technical co-operation and technical issues related to SELinux?

The original writer later said that he did not want to start a religious
argument, and I do believe he was honest when saying so. But next time,
in my opinion, I think he would do well to leave out the religious
comparisons on a technical list. I am saying this in a friendly spirit
and do not mean to sound harsh.

> Or is that also an "SELinux issue?"

No, it is not a SELinux issue.

Best regards,
vmk
--
************************************************************************
               Tietotekniikkaosasto / Helsingin yliopisto
                 IT Department / University of Helsinki
************************************************************************

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Request for multiple mailing lists

[Russell Coker]

On Friday 08 August 2008 20:33, Vesa-Matti J Kari <vmkari@cc.helsinki.fi> 
wrote:
> On Fri, 8 Aug 2008, Andy Warner wrote:
> > Didn't realize the NSA was sponsoring a list for voicing religious
> > bigotries.
>
> The mighty NSA has little or nothing to do with this issue.

Actually I believe that they have a policy against discussions of religion on 
the list.  Which is why I didn't make any comment about religion in my 
previous message.

> The point that is sometimes missed is that not all people are religious,
> or if they are, they do not necessarily follow the same sect, and hence
> people should think twice before asking anyone to compare, e.g. a SELinux
> policy with the Old Testament. Or with the Quran. Or with the Vedas.

I think (based on off-list correspondence) that Casey might have been trying 
to compare multiple translations and interpretations of religious documents 
with multiple SE Linux policies.  But his last message to me on this topic 
was not entirely clear.

There is of course the issue that there are many possible ways of writing a 
policy to constrain a given set of programs.  The recent discussions about 
whether to have one domain for all Milters or to have one for each Milter, 
and how to manage multiple user roles are merely the tip of the iceberg in 
this regard.

-- 
russell@coker.com.au
http://etbe.coker.com.au/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Request for multiple mailing lists

[Joshua Brindle]

Russell Coker wrote:
> On Friday 08 August 2008 20:33, Vesa-Matti J Kari <vmkari@cc.helsinki.fi> 

<snip>

Back on topic:

I've multiple times in the past that I'd like to have a policy list that was separate. The main problem here is that all the core developers would almost certainly be subscribed to both (all) of them so there is little motivation on this end to split the lists out.

I completely disagree with splitting kernel and userland out as kernel changes almost always require userland changes, and userland changes are often created to address format changes, etc that are of interest to the kernel.

That said, even if we had to be subscribed to both it would be easier to disregard the parts less interesting to us (for me, that is policy, for Chris that is the other). 

So I'll +1 the request but believe only 2 lists are necessary.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Request for multiple mailing lists

[max bianco]

On Fri, Aug 8, 2008 at 1:10 PM, Joshua Brindle <method@manicmethod.com> wrote:
> Russell Coker wrote:
>> On Friday 08 August 2008 20:33, Vesa-Matti J Kari <vmkari@cc.helsinki.fi>
>
> <snip>
>
> Back on topic:
>
> I've multiple times in the past that I'd like to have a policy list that was separate. The main problem here is that all the core developers would almost certainly be subscribed to both (all) of them so there is little motivation on this end to split the lists out.
>
> I completely disagree with splitting kernel and userland out as kernel changes almost always require userland changes, and userland changes are often created to address format changes, etc that are of interest to the kernel.
>
> That said, even if we had to be subscribed to both it would be easier to disregard the parts less interesting to us (for me, that is policy, for Chris that is the other).
>
> So I'll +1 the request but believe only 2 lists are necessary.
>
> --

This list is hardly what I would call high traffic. It is about the
only source of current SELinux info that I have found.  Splitting this
into more than one list would be a mistake.
Why?
The policy as pointed out by others is central to selinux. If you
separate the policy discussion from the kernel code discussion then
you start splitting SELinux into separate components and you
subsequently start looking at these separate components as though they
are not part of a cohesive whole. Then you'll fall prey to
communication breakdowns, silly mistakes that would have been caught
will start to slip through. SELinux isn't like any other open source
project. It involves security. That one subject that most people can
never agree on and are afraid to talk about, lest they be wrong,
someone forbid:^) Obviously not a field for the faint of heart or the
close minded. Good security requires an open approach and an
appreciation of the big picture. It's going to be hard to keep a
proper perspective on the big picture, if you forget to check you
policy list because you happen to be especially busy handling kernel
code changes or vice versa. Its easy enough to read the subject line
and disregard the ones that deal with policy if they don't interest
you. You cannot separate the body from the mind. One affects the
other. You cannot treat the kernel code discussion as separate from
the policy discussion. Each has an affect on the other. That's my
.000002.

-Max
-- 
We start decomposing the day we are born

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Request for multiple mailing lists

[Casey Schaufler]

Russell Coker wrote:
> On Friday 08 August 2008 20:33, Vesa-Matti J Kari <vmkari@cc.helsinki.fi> 
> wrote:
>   
>> On Fri, 8 Aug 2008, Andy Warner wrote:
>>     
>>> Didn't realize the NSA was sponsoring a list for voicing religious
>>> bigotries.
>>>       
>> The mighty NSA has little or nothing to do with this issue.
>>     
>
> Actually I believe that they have a policy against discussions of religion on 
> the list.  Which is why I didn't make any comment about religion in my 
> previous message.
>
>   
>> The point that is sometimes missed is that not all people are religious,
>> or if they are, they do not necessarily follow the same sect, and hence
>> people should think twice before asking anyone to compare, e.g. a SELinux
>> policy with the Old Testament. Or with the Quran. Or with the Vedas.
>>     
>
> I think (based on off-list correspondence) that Casey might have been trying 
> to compare multiple translations and interpretations of religious documents 
> with multiple SE Linux policies.  But his last message to me on this topic 
> was not entirely clear.
>   

Maybe I should just put what I meant out on the table, then
anyone who would like can argue with me of list and we can
take any issue out of this context.

First, the comparison was very off the cuff, so don't read too
much into it. The comparison is apt because:
- both are large
- both are considered definitive in certain circles
- both have multiple authors
- both are concerned with proper behavior
- individual sections sometimes seem peculiar out of context

There. You can discuss this comparison off line with me if you like,
but I'm not going to say anything more about it here. Sorry if
anyone got offended, directly or indirectly. Golly.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Request for multiple mailing lists

[Russell Coker]

On Saturday 09 August 2008 12:20, "max bianco" <maximilianbianco@gmail.com> 
wrote:
> This list is hardly what I would call high traffic. It is about the
> only source of current SELinux info that I have found.

http://selinuxnews.org/planet/

There is the SE Linux planet (see above).  At the moment 3/5 posts are by me.  
I encourage everyone who has a blog and is interested in SE Linux to write 
some suitable posts and get James to syndicate their entire blog or a 
category related to SE Linux if they write many posts.

http://selinuxnews.org/wp/

The above URL has the SE Linux news blog run by James.

The Fedora SE Linux list is good if you use Fedora.

The SE Linux IRC channel is good if IRC suits your needs (but you do need some 
patience, sometimes it takes 8+ hours to get an answer).

> proper perspective on the big picture, if you forget to check you
> policy list because you happen to be especially busy handling kernel

The ability to keep track of things is important.  Having a single list that 
is too busy can be as much of an obstacle as having multiple lists.

Good choice of subject lines for messages can greatly alleviate this problem 
allowing bulk deletion of messages that aren't relevant to your work.

-- 
russell@coker.com.au
http://etbe.coker.com.au/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Request for multiple mailing lists

[Vikram Ambrose]

As usual, only the ones that wish to argue for no reason are the ones to 
respond, when the culprits stay silent. Nevertheless I didn't expect 
miracles to happen. Open Source is after all a socialist concept, and I 
haven't earned my stripes yet.

Oh and I almost forget, we also need a selinux-offtopic list for the 
likes of Casey Schaufler, Russel Cooker and Vesa-Matti Kari to continue 
their meaningless banters.

/V

Vikram Ambrose wrote:
> The SE Linux <selinux@tycho.nsa.gov> mailing list is being cluttered 
> with non selinux related material.
>
> Especially concerning refpolicy. And there is no set fast term used 
> for filtering such content, and needless to say a waste of bandwidth.
>
> The SELinux list is not a place for non-SELinux maintainers, like 
> Tresys to discuss their policies within themselves. Would it be 
> alright for me and the other developers in my company to use the 
> SELinux list to discuss our policies? Or the next company that decides 
> to adopt SELinux? RedHat goes as far as to using the SELinux list as a 
> communication channel with Tresys. Unless there has been some 
> agreement made between the SELinux gatekeepers (NSA?) , Tresys and 
> Redhat, I find this a misuse of the mailing list.
>
> In the last 4 months, there have only been a handful of unique threads 
> concerning SELinux. A few by Stepehen, Eric, and myself. Everything 
> else is policy related.  With a total of 800 odd messages in this time 
> frame, its quite clear the policy discussion is cluttering the list. 
> As more and more people begin to adopt SELinux and face the battles of 
> SELinux integration, the userspace topic will become increasingly 
> popular.
>
> As I see it, the current list should be split into 3.
>
> 1. selinux-kernel
>    This would be a very low volume list. .Perhaps even with special 
> clearance to address security holes and concerns.
> 2. selinux-userspace
>    This list would deal with userspace tools, wrappers and other non 
> kernel related material. Whether it be NSA's userspace tools or 
> support for 3rd party applications being compiled to be selinux-aware 
> using libselinux. This list is very important, if not the most 
> important of the three.
> 3. selinux-policy
>    This list will deal with policies. A good place for Administrators 
> and policy developers to discuss the creation, debugging and use of 
> various policies. This as it stands would have the highest volume. 
> Nevertheless as suggested by Grift Dominick on #selinux, a forum would 
> be an even better place to discuss policies. Repository of ideas, 
> designs and development dedicated to policies. A forum for the 
> Administrator and Policy Developer.
>
> Without this breakdown, the selinux list would be analogous to people 
> talking about GNU and C programming on lkml.
>
>
> Vikram.
>
> -- 
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to 
> majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.


-- 
Vikram Ambrose | Linux Products Division | WindRiver Corporation


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Request for multiple mailing lists

[Eric Paris]

On Thu, Aug 7, 2008 at 12:41 PM, Vikram Ambrose
<Vikram.Ambrose@windriver.com> wrote:

> The SELinux list is not a place for non-SELinux maintainers, like Tresys to
> discuss their policies within themselves. Would it be alright for me and the
> other developers in my company to use the SELinux list to discuss our
> policies? Or the next company that decides to adopt SELinux? RedHat goes as
> far as to using the SELinux list as a communication channel with Tresys.
> Unless there has been some agreement made between the SELinux gatekeepers
> (NSA?) , Tresys and Redhat, I find this a misuse of the mailing list.

Some misunderstanding.  Tresys is the refpolicy maintainer.  The
intention of refpolicy is to be a single upstream policy on which
others can build, extend, and make their own changes.  Hopefully all
generically useful changes that people make to policy get sent back to
refpolicy.  We don't hear tresys discuss their custom policies, they
only talk about the general refpolicy, of which one of their employees
spends a great deal of maintaining for the benefit of us all.

> As I see it, the current list should be split into 3.

I'm willing to accept and think 2 lists is a good idea.  selinux-list
and selinux-policy-list.  Where selinux-list deals with anything that
comes along, be it userspace, kernel, my BLAH is broken, this tool
sucks, etc etc.  selinux-policy-list is for policy PATCHES ONLY.
There are some people who really follow both closely, but we do have
enough specialists who care 99% about policy those of us who care only
1% about policy.  Sure I'll subscribe to both, but I'm going to ignore
policy list.  I figure if any discussion comes up on policy-list that
needs userspace changes someone will poke me or they will mention it
on the general list.  I think moving policy patches and only patches
that need review to go into refpolicy onto its own list can help a
number of people better focus on things.  Chris can find those patches
without wading through crap and accept/reject them.  I can ignore
them.

My suggestion would be

selinux-list @ nsa - general selinux discussion including userspace
and kernel patches
selinux-policy-list @ whoever - PATCHES intended for refpolicy

-Eric

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Request for multiple mailing lists

[Justin Mattock]

On Mon, Aug 11, 2008 at 8:34 AM, Eric Paris <eparis@parisplace.org> wrote:
> On Thu, Aug 7, 2008 at 12:41 PM, Vikram Ambrose
> <Vikram.Ambrose@windriver.com> wrote:
>
>> The SELinux list is not a place for non-SELinux maintainers, like Tresys to
>> discuss their policies within themselves. Would it be alright for me and the
>> other developers in my company to use the SELinux list to discuss our
>> policies? Or the next company that decides to adopt SELinux? RedHat goes as
>> far as to using the SELinux list as a communication channel with Tresys.
>> Unless there has been some agreement made between the SELinux gatekeepers
>> (NSA?) , Tresys and Redhat, I find this a misuse of the mailing list.
>
> Some misunderstanding.  Tresys is the refpolicy maintainer.  The
> intention of refpolicy is to be a single upstream policy on which
> others can build, extend, and make their own changes.  Hopefully all
> generically useful changes that people make to policy get sent back to
> refpolicy.  We don't hear tresys discuss their custom policies, they
> only talk about the general refpolicy, of which one of their employees
> spends a great deal of maintaining for the benefit of us all.
>
>> As I see it, the current list should be split into 3.
>
> I'm willing to accept and think 2 lists is a good idea.  selinux-list
> and selinux-policy-list.  Where selinux-list deals with anything that
> comes along, be it userspace, kernel, my BLAH is broken, this tool
> sucks, etc etc.  selinux-policy-list is for policy PATCHES ONLY.
> There are some people who really follow both closely, but we do have
> enough specialists who care 99% about policy those of us who care only
> 1% about policy.  Sure I'll subscribe to both, but I'm going to ignore
> policy list.  I figure if any discussion comes up on policy-list that
> needs userspace changes someone will poke me or they will mention it
> on the general list.  I think moving policy patches and only patches
> that need review to go into refpolicy onto its own list can help a
> number of people better focus on things.  Chris can find those patches
> without wading through crap and accept/reject them.  I can ignore
> them.
>
> My suggestion would be
>
> selinux-list @ nsa - general selinux discussion including userspace
> and kernel patches
> selinux-policy-list @ whoever - PATCHES intended for refpolicy
>
> -Eric
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>

Hey,
I like the idea, sign me up.
I'll just remember to keep the conversation SELinux
related, instead of some off topic question. i.g.
http://www.engardelinux.org/modules/index/list_archives.cgi?list=selinux&page=0335.html&month=2008-02
usb_hcd_poll_rh_status (rh_timer_func)
Don't ask me why I did that.....

-- 
Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Request for multiple mailing lists

[Stephen Smalley]

On Fri, 2008-08-08 at 13:10 -0400, Joshua Brindle wrote:
> Russell Coker wrote:
> > On Friday 08 August 2008 20:33, Vesa-Matti J Kari <vmkari@cc.helsinki.fi> 
> 
> <snip>
> 
> Back on topic:
> 
> I've multiple times in the past that I'd like to have a policy list that was separate. The main problem here is that all the core developers would almost certainly be subscribed to both (all) of them so there is little motivation on this end to split the lists out.
> 
> I completely disagree with splitting kernel and userland out as kernel changes almost always require userland changes, and userland changes are often created to address format changes, etc that are of interest to the kernel.
> 
> That said, even if we had to be subscribed to both it would be easier to disregard the parts less interesting to us (for me, that is policy, for Chris that is the other). 
> 
> So I'll +1 the request but believe only 2 lists are necessary.

I'm fine with moving refpolicy patches and discussion to another list
with the exception of changes that touch the core Flask definitions,
which should be copied to both lists as they will affect the kernel or
userspace object managers.

refpolicy certainly doesn't have to be the only policy for SELinux,
although it is a useful source pool that embodies a lot of knowledge
derived over time from the community, and most existing policies are
built from that common source pool.  Prior to refpolicy, the NSA example
policy served the same purpose, and that knowledge and community effort
transitioned from the example policy to refpolicy when refpolicy was
deployed in modern distributions that support SELinux.

While refpolicy is not limited to Tresys (they are just the upstream
maintainers), it seems to make sense to host such a refpolicy list on
the same site that hosts the refpolicy project, so hosting it on
oss.tresys.com would make sense to me.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Request for multiple mailing lists

[Russell Coker]

On Friday 15 August 2008 02:16, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> I'm fine with moving refpolicy patches and discussion to another list
> with the exception of changes that touch the core Flask definitions,
> which should be copied to both lists as they will affect the kernel or
> userspace object managers.

The recent trend towards putting patches on web sites and sending short 
messages announcing them seems to be a good reason to create a new list.

I don't expect the web pages referred to in such messages to be still online 
in a few years time, and therefore the list archives will be of little use in 
that regard.

-- 
russell@coker.com.au
http://etbe.coker.com.au/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.