From: guido@trentalancia.com (Guido Trentalancia) Date: Thu, 17 Mar 2011 14:50:54 +0100 Subject: [refpolicy] Question: and the policy grows... Message-ID: <1300369855.30425.14.camel@tesla.lan> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello everybody ! I have a question which I believe is quite interesting. I often get on and off the list because of a lack of time, but I have noticed that most (if not all) of the patches that have been submitted to refpolicy in the last period of time, including a few patches that I have submitted, were intended to improve usability and were going to add new permissions to this or that policy module (it's always diff +). So, the policy grows... and becomes weaker (less tight and secure), although hopefully more usable. If this trends continues the policy will just become weaker and weaker with time and this might not always be backed by an increased usability. I would even expect that some of the permissions added long time ago and still present in the policy are no longer needed by more recent versions of the same packages. And usually backwards compatibility (for very old package versions) is not something which should be guaranteed forever... So my question is: who is going to take care of periodically trimming down the permissions in refpolicy that are no longer needed (keep the policy tight) ? But more importantly how is this going to be done technically (the methodology) ? Thanks for your time ! Regards, Guido