1 |
On Sun, Jan 16, 2011 at 08:22:03PM +0100, David Sommerseth wrote: |
2 |
> Why not have a look at what Fedora and RHEL/CentOS does in that regards? |
3 |
> They've probably already been through a lot of these decisions as well, and |
4 |
> were probably also one of the earlier adopters. |
5 |
|
6 |
Well, most of these distributions offer a targeted SELinux policy approach |
7 |
(they confine specific services/daemons, but most user activity is ran in |
8 |
unconfined domains) instead of a strict SELinux policy approach (no |
9 |
unconfined domains). Although they still have the same problem, it's scope |
10 |
is not as large as within a strict approach. |
11 |
|
12 |
The distributions I look at (fedora mainly) doesn't really seem to use |
13 |
one or the other. I also can't find any resource that sais to developers |
14 |
how they should focus their policies. From a quick chat on #selinux I seem |
15 |
to deduce that It Depends (tm). Mostly on the developer in charge. |
16 |
|
17 |
What I do notice is that, if a module has an allow statement which is |
18 |
cosmetic (not needed) it doesn't ever get removed because there's noone |
19 |
"trying" to remove statements to see if they are really cosmetic (that's a |
20 |
nice conundrum - how do I then know that a rule is cosmetic ;-) |
21 |
|
22 |
Wkr, |
23 |
Sven Vermeulen |