SELinux smolt stats

Stephen Smalley sds at tycho.nsa.gov
Fri Mar 21 14:11:28 UTC 2008 

On Mon, 2008-02-18 at 23:45 -0500, Yaakov Nemoy wrote:
> On Feb 18, 2008 11:25 PM, James Morris <jmorris at namei.org> wrote:
> > It seems that the SELinux enablement stats are now online -- thanks!
> >
> > I have a question about what the numbers mean.  The current values are:
> >
> >   SELinux Enabled
> >   False         185085  53.3 %
> >   True          162262  46.7 %
> >
> > for 347347 registered hosts.
> >
> > Now, the "OS" column include several distros and versions, including FC5,
> > Centos5 through to current rawhide, with the same number of total hosts.
> >
> > As the SELinux figures have only been collected since F8, does this mean
> > that we should calculate "total SELinux enabled" only for:
> >
> >   OS                    Hosts
> >   F8                    130282
> >   F7.x (rawhide)          5517
> >   F8.x (rawhide)           920
> >   ----------------------------
> >                         136719 (actually providing SELinux stats)
> >   ----------------------------
> >
> > where the percentage enabled is actually thus at least 74% ?
> 
> We probably need more detailed reporting for this sort of thing.  I'll
> put it on a TODO, for after FOSDEM.  I wanted to get this draft out,
> so we can decide what reporting we need on a more evolutionary basis.
> (Or by intelligent design if you hold by that sort of thing.)
> 
> (Don't worry, I made myself promise myself that I wouldn't pick up new
> project ideas this time around.  I'll hopefully be able to take care
> of this fairly quickly.)

Hi,

Any progress on this?  At the least, it would be nice if the smolt
selinux stats page only reported enabled/disabled information for Fedora
8 and later where it was actually being collected correctly (I wouldn't
use anything prior, since Fedora 8 test2 had a bug in its reporting and
Fedora 7 and earlier had no reporting for it, IIUC).  Otherwise, the
selinux stats page is essentially useless in its current form.

Also, I don't understand the SELinux Enforce section of the page - there
seems to be a mixture of policy type (e.g. targeted, seedit, strict) and
enforcing status (enforcing, permissive) there, which then overlaps with
the SELinux policy section.  Possibly by omitting everything prior to
Fedora 8 release would clear that up too since the precise information
being reported changed.

-- 
Stephen Smalley
National Security Agency

More information about the fedora-devel-list mailing list