| 1 |
On Sun, Jan 16, 2011 at 08:22:03PM +0100, David Sommerseth wrote: |
| 2 |
> Why not have a look at what Fedora and RHEL/CentOS does in that regards? |
| 3 |
> They've probably already been through a lot of these decisions as well, and |
| 4 |
> were probably also one of the earlier adopters. |
| 5 |
|
| 6 |
Well, most of these distributions offer a targeted SELinux policy approach |
| 7 |
(they confine specific services/daemons, but most user activity is ran in |
| 8 |
unconfined domains) instead of a strict SELinux policy approach (no |
| 9 |
unconfined domains). Although they still have the same problem, it's scope |
| 10 |
is not as large as within a strict approach. |
| 11 |
|
| 12 |
The distributions I look at (fedora mainly) doesn't really seem to use |
| 13 |
one or the other. I also can't find any resource that sais to developers |
| 14 |
how they should focus their policies. From a quick chat on #selinux I seem |
| 15 |
to deduce that It Depends (tm). Mostly on the developer in charge. |
| 16 |
|
| 17 |
What I do notice is that, if a module has an allow statement which is |
| 18 |
cosmetic (not needed) it doesn't ever get removed because there's noone |
| 19 |
"trying" to remove statements to see if they are really cosmetic (that's a |
| 20 |
nice conundrum - how do I then know that a rule is cosmetic ;-) |
| 21 |
|
| 22 |
Wkr, |
| 23 |
Sven Vermeulen |
Archives