From: dwalsh@redhat.com (Daniel J Walsh) Date: Thu, 17 Mar 2011 15:55:16 -0400 Subject: [refpolicy] Question: and the policy grows... In-Reply-To: <1300390804.31755.6.camel@tesla.lan> References: <1300369855.30425.14.camel@tesla.lan> <4D8219D9.7080504@redhat.com> <1300377867.30425.40.camel@tesla.lan> <4D823A60.9020107@redhat.com> <1300390804.31755.6.camel@tesla.lan> Message-ID: <4D826724.4030908@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/17/2011 03:40 PM, Guido Trentalancia wrote: >>> > > In any case, we haven't found a solution (or at least a methodology). >>> > > The only (obvious) one I can foresee at the moment is periodically >>> > > restarting from scratch (i.e. creating a new generation of refpolicy >>> > > from scratch every x years). Which is massive work. >>> > > >> > Yes and going to generate a large amount of errors, since most bugs are >> > caused by running apps in different ways. >> > >>> > > From the Changelog I take that refpolicy started on June 2005. Software >>> > > version numbers does not necessarily mean anything, but just to give an >>> > > idea, on June 2005, we had the following versions (taken at random): >>> > > >>> > > kernel 2.6.12 (now 2.6.38) >>> > > Linux-PAM 0.79 (now 1.1.3) >>> > > gtk+ 2.6.8 (now 3.0) >>> > > evolution 2.3.3 (now 2.32.2) >>> > > ... >> > And refpolicy was an attempt to make all rules == example policy when >> > the port happened, so most of the original rules come from Prior to 2002. >>> > > >>> > > I'd be very happy to hear from others... >>> > > >>> > > Regards, >>> > > >>> > > Guido >>> > > >> > I think if we ever get to the next generation of policy and could start >> > removing rules. easily this would help. > I didn't get this. What could help ? > Right now removing access is difficult, you really need to be able to start with the entire policy and build. If we improved the tool chain, you could remove rules. Then people could experiment with removing rules and it the system still works, suggest patches that remove allow rules. Imagine you could write policy module that said remove application_domain user_tty_device_t:chr_file open; [SNIP] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk2CZyQACgkQrlYvE4MpobM22gCfc8nvGLw359U9yosatI2O/Jg+ n3oAoMzME1s2AY4mfvhF4ng+C0kG1MAF =p8nx -----END PGP SIGNATURE-----