SELinux should be off by default in FC3

Karl MacMillan kmacmillan at tresys.com
Fri Oct 8 15:25:25 UTC 2004


> -----Original Message-----
> From: fedora-devel-list-bounces at redhat.com [mailto:fedora-devel-list-
> bounces at redhat.com] On Behalf Of Steve G
> 
> >Design the exposed UI for the end users of the system.  Don't just
> >expose the raw UI that developers understand.  And the config files are
> >definitely UI.
> 
> I'd say that new ways to configure it will evolve out of the current
> environment.
> Remember when IPTables first came out? You had to be a network guru and
> write
> your own script. Now you can choose between many programs that let you
> configure
> iptables. For example, shorewall or firewall builder. I think over time
> (and as
> the needs are made clearer) better tools will be created out of necessity
> or
> simply seeing a better way.
> 
> This is really what's missing...a healthy set of competing utilities and
> policy
> writing tools. I've been toying with doing something along the lines of
> firewall
> builder in my spare time.

Steve - I agree with you here. The underlying policy language does a good
job of representing the SELinux model, but policy writers need some tools
and frameworks to allow them to work at a higher level and more directly
encode the security goals they care about. This might, for example, allow
them to focus on how information flows through an email relay so that they
can ensure that every email must pass through a virus scanner. For an
experienced policy writer, I assert that it is fairly straightforward to
accomplish this in the existing policy language, but for others some more
support is necessary.

We are actively working on this problem and have some interesting concepts
in development. I hope that we will have something more concrete to share in
the coming months.

Karl

Karl MacMillan
Tresys Technology
http://www.tresys.com
(410)290-1411 ext 134

> Gotta clear a back-log of projects first,
> though.
> 
> -Steve Grubb
> 
> 
> 
> _______________________________
> Do you Yahoo!?
> Declare Yourself - Register online to vote today!
> http://vote.yahoo.com
> 
> --
> fedora-devel-list mailing list
> fedora-devel-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-devel-list




More information about the fedora-devel-list mailing list