SELinux smolt stats
Stephen Smalley
sds at tycho.nsa.gov
Fri Mar 21 14:11:28 UTC 2008
On Mon, 2008-02-18 at 23:45 -0500, Yaakov Nemoy wrote:
> On Feb 18, 2008 11:25 PM, James Morris <jmorris at namei.org> wrote:
> > It seems that the SELinux enablement stats are now online -- thanks!
> >
> > I have a question about what the numbers mean. The current values are:
> >
> > SELinux Enabled
> > False 185085 53.3 %
> > True 162262 46.7 %
> >
> > for 347347 registered hosts.
> >
> > Now, the "OS" column include several distros and versions, including FC5,
> > Centos5 through to current rawhide, with the same number of total hosts.
> >
> > As the SELinux figures have only been collected since F8, does this mean
> > that we should calculate "total SELinux enabled" only for:
> >
> > OS Hosts
> > F8 130282
> > F7.x (rawhide) 5517
> > F8.x (rawhide) 920
> > ----------------------------
> > 136719 (actually providing SELinux stats)
> > ----------------------------
> >
> > where the percentage enabled is actually thus at least 74% ?
>
> We probably need more detailed reporting for this sort of thing. I'll
> put it on a TODO, for after FOSDEM. I wanted to get this draft out,
> so we can decide what reporting we need on a more evolutionary basis.
> (Or by intelligent design if you hold by that sort of thing.)
>
> (Don't worry, I made myself promise myself that I wouldn't pick up new
> project ideas this time around. I'll hopefully be able to take care
> of this fairly quickly.)
Hi,
Any progress on this? At the least, it would be nice if the smolt
selinux stats page only reported enabled/disabled information for Fedora
8 and later where it was actually being collected correctly (I wouldn't
use anything prior, since Fedora 8 test2 had a bug in its reporting and
Fedora 7 and earlier had no reporting for it, IIUC). Otherwise, the
selinux stats page is essentially useless in its current form.
Also, I don't understand the SELinux Enforce section of the page - there
seems to be a mixture of policy type (e.g. targeted, seedit, strict) and
enforcing status (enforcing, permissive) there, which then overlaps with
the SELinux policy section. Possibly by omitting everything prior to
Fedora 8 release would clear that up too since the precise information
being reported changed.
--
Stephen Smalley
National Security Agency
More information about the fedora-devel-list
mailing list