how does rpm work under Selinux
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Thu Jun 2 05:29:00 UTC 2005
On Wed, 01 Jun 2005 23:29:59 BST, Mike Hearn said:
> At the moment the focus seems to be on totally centralised policy for
> everything the user might want to run (or be secured) ... I can't see this
> scaling as SELinux enters the mainstream.
Well, technically, if it isn't centralized, you don't have a prayer of any
*real* enforcement. There's days when I think that Casey is right, and even
the *current* strict scheme isn't centralized and top-down design enough.
The average user can't write policy, and can't evaluate policy - and neither
can the average developer. Quite frankly, most of the time I'm ecstatic if
I can get a user or developer to state a coherent and realistic threat model.
As a result, it will be a *long* time before we can realistically support
any model other than telling developers to ask for help on the mailing list.
Hopefully with the binary-policy stuff, at least the "how to deploy the
pieces" part will become easier.
There's additional good security reasons for the current model - the
centralized policy is driven out of a centralized development tree, and the
current open review structure both ensures double-checks and honesty among
all concerned. It's hopefully pretty hard to sneak a backdoor (intentional
or accidental) in when Dan Walsh, Russell Coker, and Stephen Smalley are
all cross-checking each other - and everybody and their pet llama are sniping
from the sidelines on this list :) On the other hand, there's no particular
reason for anybody to trust a policy shipped with MobyFrobozz 0.9.4 if it hasn't
been vetted by somebody.
(Aside to the RedHat/Fedora developers - I *like* the description Chris
PeBenito gave of how Gentoo is packaging it - he gave the example of 'ntp'
having a pre-req of 'selinux-ntp'. Having the "owners" of the two packages
be different people would address most of the issues this sort of thing
causes....)
And quite frankly, we're not 100% of the way to understanding how to even
do a totally centralized policy - trying to expand out to other stuff might
be foolhardy.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20050602/51da4323/attachment.sig>
More information about the fedora-selinux-list
mailing list