From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Thu, 17 Mar 2011 21:24:34 +0100 Subject: [refpolicy] Question: and the policy grows... In-Reply-To: <1300390804.31755.6.camel@tesla.lan> References: <1300369855.30425.14.camel@tesla.lan> <4D8219D9.7080504@redhat.com> <1300377867.30425.40.camel@tesla.lan> <4D823A60.9020107@redhat.com> <1300390804.31755.6.camel@tesla.lan> Message-ID: <20110317202433.GA6695@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, Mar 17, 2011 at 08:40:04PM +0100, Guido Trentalancia wrote: > There is at least the limit of not having many people on this list > compared to most other Linux projects. Perhaps security is considered > something boring to the average user/developer. Or even more likely > SELinux is still perceived as "difficult to get into" (a documentation > issue). I think it is more that security is still seen as an expert field, and most organizations don't have the people or resources to invest in expert fields beyond using what their vendor is offering. And the investments they do is more targetting immediate threats like centralized user management, proper auditing and such. Mandatory Access Control, although offered on all enterprise-grade platforms, is often disregarded as too difficult to master. It is a good thing that RedHat and other (commercial) distributions are (starting to) offer SELinux-enabled systems by default. By integrating it immediately (and not offering it as an "additional" option) they somewhat force organizations to at least understand what it does or is supposed to do. By having the non-commercial distributions focus on SELinux more and more, this will also create awareness in the community. Having a working reference policy to start from is an important part here, because most community distributions don't have the resources to build off general policies that work for the majority of users themselves. I am perfectly aware that the reference policy does not entirely do what I would expect a policy to do on *my* system, but for a distribution, it is a perfect starting point. The next step then - once a distribution has at least one policy that is working well - is to offer the necessary documentation and help for administrators to create and manage their own policies [1]. After all, if a distribution only delivers the policy but offers little help to modify or install your own, then the distributions' the security administrator and not some team in the organization. Wkr, Sven Vermeulen [1] Not saying that the current distributions don't do this yet (or sufficiently), this is more of a TODO I'm having here for myself and the other SELinux helpers in Gentoo ;-)