From: guido@trentalancia.com (Guido Trentalancia) Date: Thu, 17 Mar 2011 22:08:44 +0100 Subject: [refpolicy] Question: and the policy grows... In-Reply-To: <20110317202433.GA6695@siphos.be> References: <1300369855.30425.14.camel@tesla.lan> <4D8219D9.7080504@redhat.com> <1300377867.30425.40.camel@tesla.lan> <4D823A60.9020107@redhat.com> <1300390804.31755.6.camel@tesla.lan> <20110317202433.GA6695@siphos.be> Message-ID: <1300396124.31755.48.camel@tesla.lan> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi Sven ! On Thu, 17/03/2011 at 21.24 +0100, Sven Vermeulen wrote: > On Thu, Mar 17, 2011 at 08:40:04PM +0100, Guido Trentalancia wrote: > > There is at least the limit of not having many people on this list > > compared to most other Linux projects. Perhaps security is considered > > something boring to the average user/developer. Or even more likely > > SELinux is still perceived as "difficult to get into" (a documentation > > issue). > > I think it is more that security is still seen as an expert field, and most > organizations don't have the people or resources to invest in expert fields > beyond using what their vendor is offering. And the investments they do is > more targetting immediate threats like centralized user management, proper > auditing and such. Mandatory Access Control, although offered on all > enterprise-grade platforms, is often disregarded as too difficult to master. I would say most people see security as a very optional, very boring thing. It couldn't be otherwise, because (hardening) guidelines such as those from NSA (for Linux or other OS such Windows) require absolutely no knowledge about the OS. On Windows, it is really a matter of launching regedit and a couple of other Microsoft applications and just following the recommended configuration. On Linux it's just a bit more (editing a few configuration files maybe). Still many (if not most) people do not care about investing those 30 minutes... It's a situation very similar to preventive medicine ("it will never happen to me"). But I would stop here because perhaps we are getting a bit off-topic now. > It is a good thing that RedHat and other (commercial) distributions are > (starting to) offer SELinux-enabled systems by default. By integrating it > immediately (and not offering it as an "additional" option) they somewhat > force organizations to at least understand what it does or is supposed to > do. By having the non-commercial distributions focus on SELinux more and > more, this will also create awareness in the community. Sure. > Having a working reference policy to start from is an important part here, > because most community distributions don't have the resources to build off > general policies that work for the majority of users themselves. I am > perfectly aware that the reference policy does not entirely do what I would > expect a policy to do on *my* system, but for a distribution, it is a > perfect starting point. Yes. > The next step then - once a distribution has at least one policy that is > working well - is to offer the necessary documentation and help for > administrators to create and manage their own policies [1]. After all, if a > distribution only delivers the policy but offers little help to modify or > install your own, then the distributions' the security administrator and not > some team in the organization. I think I got lost in the last sentence. But the documentation you describe is generic documentation about policy writing. So it's something that could be written once for everybody (ideally a joint effort). My question was more about methods for policy reduction and tightening (a policy management issue)... Can you think about solutions to that problem ? Regards, Guido