From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 18 Mar 2011 09:52:16 -0400
Subject: [refpolicy] Question: and the policy grows...
In-Reply-To: <20110317213452.GB6695@siphos.be>
References: <1300369855.30425.14.camel@tesla.lan>
	<4D8219D9.7080504@redhat.com>	<1300377867.30425.40.camel@tesla.lan>
	<4D823A60.9020107@redhat.com>	<1300390804.31755.6.camel@tesla.lan>	<20110317202433.GA6695@siphos.be>	<1300396124.31755.48.camel@tesla.lan>
	<20110317213452.GB6695@siphos.be>
Message-ID: <4D836390.3030405@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 03/17/11 17:34, Sven Vermeulen wrote:
> I don't have a solution, but my suggestion would be to auditallow the
> statements you believe are obsolete for a system and thoroughly test the
> system and see if no audits occur.
> 
> If you'd like to have the obsoleted ones suggested rather than you having to
> find some, perhaps there is a way to regularly dump the avc cache and after
> some time, correlate the dumps with the policy, informing the developer
> about rules that were potentially never hit during the test. 

This has been considered in the past.  The biggest problem is that if
you don't exercise all of the code paths, especially the obscure error
paths, you may be removing valid policy.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com