From: russell@coker.com.au (Russell Coker)
Date: Fri, 26 Sep 2008 07:03:22 +1000
Subject: [refpolicy] services_amavis.patch
In-Reply-To: <48DBF018.909@redhat.com>
References: <48DAA876.2030804@redhat.com>
	<200809251719.10269.russell@coker.com.au> <48DBF018.909@redhat.com>
Message-ID: <200809260703.25027.russell@coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Friday 26 September 2008 06:10, Daniel J Walsh <dwalsh@redhat.com> wrote:
> I tend to think this is is a good idea to look at some domains and start
> to combine them to simplify policy. ? The pendulum has swung to far
> towards least privs and needs to start coming back the other way. ?Email
> handling/spam filtering/virus checking is the worst example of this.

I don't agree with the blanket statement that the pendulum has swung too far 
towards least privs.

However I think that there are some specific examples which seemed to involve 
too many domains at the time they were created and which never demonstrated a 
need for them.

One example is the Postfix and Qmail policy which I wrote knowing that there 
were not security benefits in using so many domains.  My plan for many years 
has been to review both of them and determine which domains could be merged.  
When I had time to work on this there were no tools to allow such analysis.  
I'll have to get back to this.

-- 
russell at coker.com.au
http://etbe.coker.com.au/          My Blog

http://www.coker.com.au/sponsorship.html Sponsoring Free Software development