[refpolicy] Question: and the policy grows...
guido at trentalancia.com
Thu Mar 17 18:04:59 CDT 2011
Hi Sven !
On Thu, 17/03/2011 at 22.34 +0100, Sven Vermeulen wrote:
> On Thu, Mar 17, 2011 at 10:08:44PM +0100, Guido Trentalancia wrote:
> > > The next step then - once a distribution has at least one policy that is
> > > working well - is to offer the necessary documentation and help for
> > > administrators to create and manage their own policies . After all, if a
> > > distribution only delivers the policy but offers little help to modify or
> > > install your own, then the distributions' the security administrator and not
> > > some team in the organization.
> > I think I got lost in the last sentence. But the documentation you
> > describe is generic documentation about policy writing. So it's
> > something that could be written once for everybody (ideally a joint
> > effort).
> True, but some distributions offer additional tools, methods or packages to
> support administrators with SELinux.
> > My question was more about methods for policy reduction and tightening
> > (a policy management issue)... Can you think about solutions to that
> > problem ?
> I don't have a solution, but my suggestion would be to auditallow the
> statements you believe are obsolete for a system and thoroughly test the
> system and see if no audits occur.
I do not assume anything. In simpler terms, I'd like to scan (search).
> If you'd like to have the obsoleted ones suggested rather than you having to
> find some, perhaps there is a way to regularly dump the avc cache and after
> some time, correlate the dumps with the policy, informing the developer
> about rules that were potentially never hit during the test.
This is cool !
> Little change in method, same principle.
> But honestly, I would hope that software developers for which a SELinux
> policy (module) exists would maintain it as part of their stack, rather than
> rely on people like you to debug, test and suggest updates on the policies.
I do not want or plan to do anything like that. But thanks for your
trust anyway !
Are there any developers actually doing that ?
More information about the refpolicy