[refpolicy] Question: and the policy grows...
Guido Trentalancia
guido at trentalancia.com
Fri Mar 18 10:20:13 CDT 2011
On Fri, 18/03/2011 at 09.52 -0400, Christopher J. PeBenito wrote:
> On 03/17/11 17:34, Sven Vermeulen wrote:
> > I don't have a solution, but my suggestion would be to auditallow the
> > statements you believe are obsolete for a system and thoroughly test the
> > system and see if no audits occur.
> >
> > If you'd like to have the obsoleted ones suggested rather than you having to
> > find some, perhaps there is a way to regularly dump the avc cache and after
> > some time, correlate the dumps with the policy, informing the developer
> > about rules that were potentially never hit during the test.
>
> This has been considered in the past. The biggest problem is that if
> you don't exercise all of the code paths, especially the obscure error
> paths, you may be removing valid policy.
A magic solution to that class of problems does not exist. Similar
drawbacks exist when creating policy for a package that has been written
by somebody else. So there would still need to be some trial and error
part.
Nevertheless, in my opinion that solution is wonderful ! The best answer
I have received so far. A consistent and general methodology.
Regards,
Guido
More information about the refpolicy
mailing list