Re: wish-list item for selinux policy analyss

[Casey Schaufler <casey@xxxxxxxxxxxxxxxx>]

--- Luke Kenneth Casson Leighton <lkcl@xxxxxxxx>
wrote:

> On Wed, Jun 29, 2005 at 09:56:58AM -0700, Casey
> Schaufler wrote:
> > 
> > 
> > --- Ivan Gyurdiev <gyurdiev@xxxxxxxxxx> wrote:
> > 
> > > >  reason for this is to be able to fire up a
> > > system, run
> > > > it for a while (live) say oh a few months, and
> > > then determine
> > > > which bits of the selinux policy.conf have
> never
> > > ever actually
> > > > been used.
> > > 
> > > I see several problems with this idea:
> > 
> > I say amen to points 1-3. I add ...
> > 
> > 4) A derived policy set will only tell you
> > what the programs do, not what they are
> > intended to do. Should I leave doors
> > unlocked because burglers attempt
> > to use them? If no burgler tries my
> > door for a year does that mean having
> > a lock on my door is unnecessary?
>  
>  wrong way round, casey.
> 
>  intent of wish-list item is to be able to say "this
> door
>  hasn't been used for a year, let's brick it up".
> 
>  not, as you imply, "this door hasn't been tried at
> all in a year, let's
>  now leave it wide open".

I get it now. My brain was still in the
context of reducing the size of the
policy, and I may have made a
connection that wasn't really there.
If the goal is to reduce the policy
size you might use this method
to find rules you can remove, and
that could be denial rules, which
would be what I objected too.

Never mind.



Casey Schaufler
casey@xxxxxxxxxxxxxxxx


		
____________________________________________________ 
Yahoo! Sports 
Rekindle the Rivalries. Sign up for Fantasy Football 
http://football.fantasysports.yahoo.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.