Security testing: need for a security policy, and a security-critical package process

[Bill Nottingham]

Gene Czarcinski (gene at czarc.net) said: 
> Keep it simple (KISS) for the initial attempt.  It will grow more complicated 
> all by itself as time passes.
> 
> BTW, the security policy should assume that a grub password is in use so that 
> a user cannot do something like disabling selinux by editing the kernel 
> command line.  This should be tested by the security QA.

That seems very broken. A security policy that is violated on every
single out of the box install that doesn't do customization?

Bill