[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: SELinux should be off by default in FC3



> -----Original Message-----
> From: fedora-devel-list-bounces redhat com [mailto:fedora-devel-list-
> bounces redhat com] On Behalf Of Steve G
> 
> >Design the exposed UI for the end users of the system.  Don't just
> >expose the raw UI that developers understand.  And the config files are
> >definitely UI.
> 
> I'd say that new ways to configure it will evolve out of the current
> environment.
> Remember when IPTables first came out? You had to be a network guru and
> write
> your own script. Now you can choose between many programs that let you
> configure
> iptables. For example, shorewall or firewall builder. I think over time
> (and as
> the needs are made clearer) better tools will be created out of necessity
> or
> simply seeing a better way.
> 
> This is really what's missing...a healthy set of competing utilities and
> policy
> writing tools. I've been toying with doing something along the lines of
> firewall
> builder in my spare time.

Steve - I agree with you here. The underlying policy language does a good
job of representing the SELinux model, but policy writers need some tools
and frameworks to allow them to work at a higher level and more directly
encode the security goals they care about. This might, for example, allow
them to focus on how information flows through an email relay so that they
can ensure that every email must pass through a virus scanner. For an
experienced policy writer, I assert that it is fairly straightforward to
accomplish this in the existing policy language, but for others some more
support is necessary.

We are actively working on this problem and have some interesting concepts
in development. I hope that we will have something more concrete to share in
the coming months.

Karl

Karl MacMillan
Tresys Technology
http://www.tresys.com
(410)290-1411 ext 134

> Gotta clear a back-log of projects first,
> though.
> 
> -Steve Grubb
> 
> 
> 
> _______________________________
> Do you Yahoo!?
> Declare Yourself - Register online to vote today!
> http://vote.yahoo.com
> 
> --
> fedora-devel-list mailing list
> fedora-devel-list redhat com
> http://www.redhat.com/mailman/listinfo/fedora-devel-list


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]