[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: first encounters with SELINUX, with some suggestions



On Friday 12 November 2004 04:35, Jeff Johnson <n3npq nc rr com> wrote:
> >Sure - but if Red Hat feels it is ready to be a default, surely it can't
> >be to much to ask that *all* developers respect that default and use
> >it ? I can't see what issues for them would be unfixable *if* your claim
> >that targeted is drop-in replacement is true.
>
> Look *all* is not the issue, development is. A change of the magnitude of
> SELinux is not exactly easy, and even if *all* 1000 or so employees at
> Red Hat ran SE Linux daily, it simply would not make a difference at all.

I disagree.  The more skilled people that test SE Linux the more bugs that 
will be sorted out.

However realistically we have to acknowledge that most Red Hat employees are 
focussed on the area of work that's assigned to them and have little time for 
trying out new things.  I think that the user-base of SE Linux inside Red Hat 
is growing steadily.

> The other, and deeper, issue is writing policy for a build system which
> has not been
> seriously attempted yet afiak/ Your mach hardening experience could only
> assist with
> that policy goal (which is very different than writing "targeted" policy).

I plan to do this for fedora.us.  I may arrange a week with Warren next time 
we're in the same area to work this out.

> I'm quite sure issues like booting failures have been "caught" by RH
> developers, it's
> a new roll of the die for each and every new policy, and sh*t happens.
> Stabilizing
> policy for everyone is a rather different issue than catching problems,
> and I suggest
> that there has been demonstrable improvements throughout FC2 and FC3 devel
> cycles.

Stabilising policy without getting rid of all security is the hard part!  
Making a policy that does not prevent you doing what you want is easy, making 
it also prevent bad things from happening is difficult.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]