excessively verbose policy

Marcelo Klein marceklein at gmail.com
Fri Feb 22 15:51:09 UTC 2008 

Is there any possibility of writing bundles of policies that can be
"imported" into other configurations?
Such as defining a package for a set of policies like "shared-libs", and
then when writing the policy putting "import shared-libs" or something like
that?
Is this too much complex to do?

Marcelo.

2008/2/22, Daniel J Walsh <dwalsh at redhat.com>:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Bill Nottingham wrote:
> > I was writing policy today, and I couldn't help notice a lot of
> > repetitiveness in our policy:
> >
> >       libs_use_ld_so(...)
> >       libs_use_shared_libs(...)
> >
> > These are needed by, well, everything. Can't they be
> assumed-unless-denied?
> >
> > Similarly, 99% of confined apps need:
> >
> >       miscfiles_read_localization()
> >       files_read_etc_files(.)
> >         pipes & stream sockets
> >
> > Is there a way to streamline policy so there is a lot less
> > repetition?
> >
> > Bill
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
> We have talked about this in the past, and so far it has not gone
> anywhere.  The original goal when refpolicy policy was first written was
> to allow more fine grained control then the example policy, which
> grouped large amounts of access rules within a single macro.
> (can_network) for example.  So we wanted to avoid this, and perhaps the
> pendulum swung too far to the opposite degree.
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAke+0oIACgkQrlYvE4MpobPd5gCfYpoWTHLDhsCf1Ae1oTQFv4dA
> AukAn0voXayQTmjDZm+AvEWoFyU2n/Rz
> =sl9z
> -----END PGP SIGNATURE-----
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20080222/14d31cde/attachment.htm>

More information about the fedora-selinux-list mailing list