SELinux smolt stats

Yaakov Nemoy loupgaroublond at gmail.com
Fri Mar 21 15:58:46 UTC 2008 

On Fri, Mar 21, 2008 at 10:11 AM, Stephen Smalley <sds at tycho.nsa.gov> wrote:
>
>
>  On Mon, 2008-02-18 at 23:45 -0500, Yaakov Nemoy wrote:
>  > On Feb 18, 2008 11:25 PM, James Morris <jmorris at namei.org> wrote:
>  > > It seems that the SELinux enablement stats are now online -- thanks!
>  > >
>  > > I have a question about what the numbers mean.  The current values are:
>  > >
>  > >   SELinux Enabled
>  > >   False         185085  53.3 %
>  > >   True          162262  46.7 %
>  > >
>  > > for 347347 registered hosts.
>  > >
>  > > Now, the "OS" column include several distros and versions, including FC5,
>  > > Centos5 through to current rawhide, with the same number of total hosts.
>  > >
>  > > As the SELinux figures have only been collected since F8, does this mean
>  > > that we should calculate "total SELinux enabled" only for:
>  > >
>  > >   OS                    Hosts
>  > >   F8                    130282
>  > >   F7.x (rawhide)          5517
>  > >   F8.x (rawhide)           920
>  > >   ----------------------------
>  > >                         136719 (actually providing SELinux stats)
>  > >   ----------------------------
>  > >
>  > > where the percentage enabled is actually thus at least 74% ?
>  >
>  > We probably need more detailed reporting for this sort of thing.  I'll
>  > put it on a TODO, for after FOSDEM.  I wanted to get this draft out,
>  > so we can decide what reporting we need on a more evolutionary basis.
>  > (Or by intelligent design if you hold by that sort of thing.)
>  >
>  > (Don't worry, I made myself promise myself that I wouldn't pick up new
>  > project ideas this time around.  I'll hopefully be able to take care
>  > of this fairly quickly.)
>
>  Hi,
>
>  Any progress on this?  At the least, it would be nice if the smolt
>  selinux stats page only reported enabled/disabled information for Fedora
>  8 and later where it was actually being collected correctly (I wouldn't
>  use anything prior, since Fedora 8 test2 had a bug in its reporting and
>  Fedora 7 and earlier had no reporting for it, IIUC).  Otherwise, the
>  selinux stats page is essentially useless in its current form.
>
>  Also, I don't understand the SELinux Enforce section of the page - there
>  seems to be a mixture of policy type (e.g. targeted, seedit, strict) and
>  enforcing status (enforcing, permissive) there, which then overlaps with
>  the SELinux policy section.  Possibly by omitting everything prior to
>  Fedora 8 release would clear that up too since the precise information
>  being reported changed.

We're making some progress within the time that I have in between
school work.  I have a working proof of concept in our git repository,
which you can see evidence about here:

http://loupgaroublond.blogspot.com/2008/03/sign-of-things-to-come.html

Unfortunately, I think this is a feature that is going to be available
sometime after Fedora 9 is release, as I won't have much time in the
coming month to work on it.

You also mention some confusion in the database fields for Enforce.
There might have been some confusion when we had to do a database
migration.  I will have to investigate this further, as that doesn't
sound correct at all.

-Yaakov

More information about the fedora-devel-list mailing list