[refpolicy] Question: and the policy grows...
guido at trentalancia.com
Fri Mar 18 10:25:47 CDT 2011
On Fri, 18/03/2011 at 09.35 -0400, Christopher J. PeBenito wrote:
> On 03/17/11 16:15, Guido Trentalancia wrote:
> > On Thu, 17/03/2011 at 13.54 -0400, Christopher J. PeBenito wrote:
> >> On 03/17/11 12:44, Daniel J Walsh wrote:
> >>> On 03/17/2011 12:04 PM, Guido Trentalancia wrote:
> >>>> On Thu, 17/03/2011 at 10.25 -0400, Daniel J Walsh wrote:
> >>>>> On 03/17/2011 09:50 AM, Guido Trentalancia wrote:
> >> Right. There was ~6 years of policy development that happened before
> >> Refpolicy started and we didn't want to lose the effort that went into
> >> it. The idea being that after a rigorous structure was applied, there
> >> is a better chance of identifying excessive permissions. That did
> >> happen, and we did remove a lot of policy. But its hard finding the
> >> little excessive bits that are sprinkled around the policy.
> > So when did that happen last ?
> Its ongoing.
Is it something that would be scheduled periodically or something that
happens "when possible" with "best effort".
> > And yes, the little excessive bits. Any idea on a method to help
> > spotting that out ?
> If they were easy to find, they would have been removed already. The
> point is that its not obvious.
Yes, I know. In fact it is a challenging problem with very few obvious
solutions. That's why I thought it was interesting to discuss it.
More information about the refpolicy