From: guido@trentalancia.com (Guido Trentalancia)
Date: Thu, 17 Mar 2011 14:50:54 +0100
Subject: [refpolicy] Question: and the policy grows...
Message-ID: <1300369855.30425.14.camel@tesla.lan>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello everybody !

I have a question which I believe is quite interesting.

I often get on and off the list because of a lack of time, but I have
noticed that most (if not all) of the patches that have been submitted
to refpolicy in the last period of time, including a few patches that I
have submitted, were intended to improve usability and were going to add
new permissions to this or that policy module (it's always diff +).

So, the policy grows... and becomes weaker (less tight and secure),
although hopefully more usable.

If this trends continues the policy will just become weaker and weaker
with time and this might not always be backed by an increased usability.

I would even expect that some of the permissions added long time ago and
still present in the policy are no longer needed by more recent versions
of the same packages. And usually backwards compatibility (for very old
package versions) is not something which should be guaranteed forever...

So my question is: who is going to take care of periodically trimming
down the permissions in refpolicy that are no longer needed (keep the
policy tight) ? But more importantly how is this going to be done
technically (the methodology) ?

Thanks for your time !

Regards,

Guido