Re: wish-list item for selinux policy analyss

[Luke Kenneth Casson Leighton <lkcl@xxxxxxxx>]

On Wed, Jun 29, 2005 at 10:38:08AM -0700, Ron Kuris wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Casey Schaufler wrote:
> 
> | I say amen to points 1-3. I add ...
> |
> | 4) A derived policy set will only tell you what the programs do,
> | not what they are intended to do. Should I leave doors unlocked
> | because burglers attempt to use them? If no burgler tries my door
> | for a year does that mean having a lock on my door is unnecessary?
> 
> I think the logic here is backwards.  

 yep.  selinux is "MAC".

> a year, then that door is a candidate for becoming a wall instead of a
> door.  Otherwise, you end up in a maze of twisty passages, where
> nobody knows what doors are needed and why.  Fewer doors means less
> memory also, which can be important for embedded systems.
> 
> I think this wish-list item doesn't tell you what you can remove from
> a policy.  However, it might tell you which rules are candidates to be
> changed to a "deny" rule (or lack of an "allow" rule really).  

 absolutely.

 that was the intent.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.