[refpolicy] Question: and the policy grows...

Guido Trentalancia guido at trentalancia.com
Thu Mar 17 18:04:59 CDT 2011 

Hi Sven !

On Thu, 17/03/2011 at 22.34 +0100, Sven Vermeulen wrote:
> On Thu, Mar 17, 2011 at 10:08:44PM +0100, Guido Trentalancia wrote:
> > > The next step then - once a distribution has at least one policy that is
> > > working well - is to offer the necessary documentation and help for
> > > administrators to create and manage their own policies [1]. After all, if a
> > > distribution only delivers the policy but offers little help to modify or
> > > install your own, then the distributions' the security administrator and not
> > > some team in the organization.
> > 
> > I think I got lost in the last sentence. But the documentation you
> > describe is generic documentation about policy writing. So it's
> > something that could be written once for everybody (ideally a joint
> > effort).
> 
> True, but some distributions offer additional tools, methods or packages to
> support administrators with SELinux.
> 
> > My question was more about methods for policy reduction and tightening
> > (a policy management issue)... Can you think about solutions to that
> > problem ?
> 
> I don't have a solution, but my suggestion would be to auditallow the
> statements you believe are obsolete for a system and thoroughly test the
> system and see if no audits occur.

I do not assume anything. In simpler terms, I'd like to scan (search).

> If you'd like to have the obsoleted ones suggested rather than you having to
> find some, perhaps there is a way to regularly dump the avc cache and after
> some time, correlate the dumps with the policy, informing the developer
> about rules that were potentially never hit during the test. 

This is cool !

> Little change in method, same principle.
> 
> But honestly, I would hope that software developers for which a SELinux
> policy (module) exists would maintain it as part of their stack, rather than
> rely on people like you to debug, test and suggest updates on the policies.

I do not want or plan to do anything like that. But thanks for your
trust anyway !

Are there any developers actually doing that ?

Regards,

Guido

More information about the refpolicy mailing list