Christopher J. PeBenito
cpebenito at tresys.com
Mon Oct 6 13:20:16 CDT 2008
On Fri, 2008-09-26 at 07:03 +1000, Russell Coker wrote:
> On Friday 26 September 2008 06:10, Daniel J Walsh <dwalsh at redhat.com> wrote:
> > I tend to think this is is a good idea to look at some domains and start
> > to combine them to simplify policy. The pendulum has swung to far
> > towards least privs and needs to start coming back the other way. Email
> > handling/spam filtering/virus checking is the worst example of this.
> I don't agree with the blanket statement that the pendulum has swung too far
> towards least privs.
> However I think that there are some specific examples which seemed to involve
> too many domains at the time they were created and which never demonstrated a
> need for them.
> One example is the Postfix and Qmail policy which I wrote knowing that there
> were not security benefits in using so many domains. My plan for many years
> has been to review both of them and determine which domains could be merged.
> When I had time to work on this there were no tools to allow such analysis.
> I'll have to get back to this.
One thing specific example that I noticed recently about these was that
there is a mail_spool_t in mta, and postfix and qmail also have their
own spool types. Those sounded like they could possibly all merge into
mail_spool_t, but I haven't had a chance to investigate further.
Tresys Technology, LLC
(410) 290-1411 x150
More information about the refpolicy