From: guido@trentalancia.com (Guido Trentalancia) Date: Fri, 18 Mar 2011 00:04:59 +0100 Subject: [refpolicy] Question: and the policy grows... In-Reply-To: <20110317213452.GB6695@siphos.be> References: <1300369855.30425.14.camel@tesla.lan> <4D8219D9.7080504@redhat.com> <1300377867.30425.40.camel@tesla.lan> <4D823A60.9020107@redhat.com> <1300390804.31755.6.camel@tesla.lan> <20110317202433.GA6695@siphos.be> <1300396124.31755.48.camel@tesla.lan> <20110317213452.GB6695@siphos.be> Message-ID: <1300403099.29107.4.camel@tesla.lan> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi Sven ! On Thu, 17/03/2011 at 22.34 +0100, Sven Vermeulen wrote: > On Thu, Mar 17, 2011 at 10:08:44PM +0100, Guido Trentalancia wrote: > > > The next step then - once a distribution has at least one policy that is > > > working well - is to offer the necessary documentation and help for > > > administrators to create and manage their own policies [1]. After all, if a > > > distribution only delivers the policy but offers little help to modify or > > > install your own, then the distributions' the security administrator and not > > > some team in the organization. > > > > I think I got lost in the last sentence. But the documentation you > > describe is generic documentation about policy writing. So it's > > something that could be written once for everybody (ideally a joint > > effort). > > True, but some distributions offer additional tools, methods or packages to > support administrators with SELinux. > > > My question was more about methods for policy reduction and tightening > > (a policy management issue)... Can you think about solutions to that > > problem ? > > I don't have a solution, but my suggestion would be to auditallow the > statements you believe are obsolete for a system and thoroughly test the > system and see if no audits occur. I do not assume anything. In simpler terms, I'd like to scan (search). > If you'd like to have the obsoleted ones suggested rather than you having to > find some, perhaps there is a way to regularly dump the avc cache and after > some time, correlate the dumps with the policy, informing the developer > about rules that were potentially never hit during the test. This is cool ! > Little change in method, same principle. > > But honestly, I would hope that software developers for which a SELinux > policy (module) exists would maintain it as part of their stack, rather than > rely on people like you to debug, test and suggest updates on the policies. I do not want or plan to do anything like that. But thanks for your trust anyway ! Are there any developers actually doing that ? Regards, Guido