No more selinux-policy-*-sources
Chad Sellers
csellers at tresys.com
Tue Mar 14 18:32:03 UTC 2006
Arjan van de Ven wrote:
>
> The parallel to firewalls has been made several times. But in fact the
> linux firewall does exactly this; the "related" ruleset is a dynamic
> behavior that allows more than strictly would be needed to be allowed,
> yet it's an effective way to keep things tight when you know they can
> be.
>
There have been a number of valid points about the current usability of
SELinux, and those are exactly what we're working on addressing right now.
> So that leaves a few options:
> * dynamic policy that adjusts to the configuration
> this is going to be of the same order of complexity as the
> configuration options are in the first place.
This is definitely possible, and we're currently working on something
very similar. Check out the Websphere case study slides from the SELinux
Symposium at http://selinux-symposium.org/2006/slides/05-websphere.pdf.
This could easily be applied to other applications such as a apache with
exceptionally rich configuration options.
> * keep the policy simple but allow more than strictly needed, yet
> disallow things that are highly out of bound.
As Steve pointed out, you have to first build the right mechanism, then
build on top of that. We've spent a lot of time on the mechanism, and
we're now working on making things easier. There are several projects
currently working to make policy simpler. These range from the bottom-up
approach of Reference Policy (http://serefpolicy.sourceforge.net/) to
the top-down approach of adding higher-level languages on top of SELinux
policy (a couple of these were presented at the SELinux Symposium as well).
In working to make the mechanism right, perhaps we've ignored usability
a bit. This doesn't mean the technology is doomed. On the contrary, I'd
say that the only reason it has a chance is because the mechanism is so
complete. Please don't discount SELinux just because these usability
features are still in their infancy.
Thanks,
Chad Sellers
--
----------------------
Chad Sellers
Tresys Technology, LLC
csellers at tresys.com
http://www.tresys.com
More information about the fedora-devel-list
mailing list