first encounters with SELINUX, with some suggestions
Russell Coker
russell at coker.com.au
Tue Nov 23 02:02:27 UTC 2004
On Friday 12 November 2004 04:35, Jeff Johnson <n3npq at nc.rr.com> wrote:
> >Sure - but if Red Hat feels it is ready to be a default, surely it can't
> >be to much to ask that *all* developers respect that default and use
> >it ? I can't see what issues for them would be unfixable *if* your claim
> >that targeted is drop-in replacement is true.
>
> Look *all* is not the issue, development is. A change of the magnitude of
> SELinux is not exactly easy, and even if *all* 1000 or so employees at
> Red Hat ran SE Linux daily, it simply would not make a difference at all.
I disagree. The more skilled people that test SE Linux the more bugs that
will be sorted out.
However realistically we have to acknowledge that most Red Hat employees are
focussed on the area of work that's assigned to them and have little time for
trying out new things. I think that the user-base of SE Linux inside Red Hat
is growing steadily.
> The other, and deeper, issue is writing policy for a build system which
> has not been
> seriously attempted yet afiak/ Your mach hardening experience could only
> assist with
> that policy goal (which is very different than writing "targeted" policy).
I plan to do this for fedora.us. I may arrange a week with Warren next time
we're in the same area to work this out.
> I'm quite sure issues like booting failures have been "caught" by RH
> developers, it's
> a new roll of the die for each and every new policy, and sh*t happens.
> Stabilizing
> policy for everyone is a rather different issue than catching problems,
> and I suggest
> that there has been demonstrable improvements throughout FC2 and FC3 devel
> cycles.
Stabilising policy without getting rid of all security is the hard part!
Making a policy that does not prevent you doing what you want is easy, making
it also prevent bad things from happening is difficult.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the fedora-devel-list
mailing list