[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: wish-list item for selinux policy analyss

To: gyurdiev@xxxxxxxxxx, Luke Kenneth Casson Leighton <lkcl@xxxxxxxx>
Subject: Re: wish-list item for selinux policy analyss
From: Casey Schaufler <casey@xxxxxxxxxxxxxxxx>
Date: Wed, 29 Jun 2005 09:56:58 -0700 (PDT)
Cc: SE-Linux <selinux@xxxxxxxxxxxxx>
In-reply-to: <1120058832.17121.38.camel@xxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: owner-selinux@xxxxxxxxxxxxx

--- Ivan Gyurdiev <gyurdiev@xxxxxxxxxx> wrote:

> >  reason for this is to be able to fire up a
> system, run
> > it for a while (live) say oh a few months, and
> then determine
> > which bits of the selinux policy.conf have never
> ever actually
> > been used.
> 
> I see several problems with this idea:

I say amen to points 1-3. I add ...

4) A derived policy set will only tell you
what the programs do, not what they are
intended to do. Should I leave doors
unlocked because burglers attempt
to use them? If no burgler tries my
door for a year does that mean having
a lock on my door is unnecessary?

Casey Schaufler
casey@xxxxxxxxxxxxxxxx

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.

Follow-Ups:
- Re: wish-list item for selinux policy analyss
  - From: Ron Kuris
- Re: wish-list item for selinux policy analyss
  - From: Luke Kenneth Casson Leighton

References:
- Re: wish-list item for selinux policy analyss
  - From: Ivan Gyurdiev

Prev by Date: RFC: jail functionality
Next by Date: Re: RFC: jail functionality
Previous by thread: Re: wish-list item for selinux policy analyss
Next by thread: Re: wish-list item for selinux policy analyss
Index(es):
- Date
- Thread

This mailing list archive is a service of Copilot Consulting.