From: guido@trentalancia.com (Guido Trentalancia) Date: Fri, 18 Mar 2011 16:09:17 +0100 Subject: [refpolicy] Question: and the policy grows... In-Reply-To: <4D8361F7.8060007@tresys.com> References: <1300369855.30425.14.camel@tesla.lan> <4D8219D9.7080504@redhat.com> <1300377867.30425.40.camel@tesla.lan> <4D823A60.9020107@redhat.com> <1300390804.31755.6.camel@tesla.lan> <4D8361F7.8060007@tresys.com> Message-ID: <1300460957.4019.16.camel@tesla.lan> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello Christopher ! On Fri, 18/03/2011 at 09.45 -0400, Christopher J. PeBenito wrote: > On 03/17/11 15:40, Guido Trentalancia wrote: > > On Thu, 17/03/2011 at 12.44 -0400, Daniel J Walsh wrote: > >> On 03/17/2011 12:04 PM, Guido Trentalancia wrote: > >>> On Thu, 17/03/2011 at 10.25 -0400, Daniel J Walsh wrote: > > >> I think getting people to go in and examine the policy and ask > >> questions, why do we have these rules would be helpful. Maybe we setup > >> test days, or something to remove bogus policy. > > > > There is at least the limit of not having many people on this list > > compared to most other Linux projects. Perhaps security is considered > > something boring to the average user/developer. Or even more likely > > SELinux is still perceived as "difficult to get into" (a documentation > > issue). > > I think theres two things. > > 1. People don't actually care about security, especially if it > complicates/hinders what they're trying to do. Most people seek > security measures as a reaction to a security breach. Typically at that point it would be too late (as opposed to the example of medicine/health where usually something could still be done). The second most common reason I have been given (apart from "it will never happen to me") is in fact: "I am afraid the system would stop working". At least there is some rationale behind this second reason... > 2. Of the people that have some interest, SELinux is typically seen as > too difficult. We've been working on improving this for years. I think Dominick reply got straight to the point (which applies in general to MAC strategy not just SELinux): "SELinux is not so hard in my view considering its flexibility. But Linux is complex and vast." (Fri, 18 Mar 2011 11:12:43 +0100) Many people just want to have a piece of software called "anti-virus" enclosed in beautiful and colored package backed by lots of advertisement on the public media and such piece of software should tell them that things are all right most of the time or otherwise that issues are getting tackled within seconds and that everything will get back to normality within the same amount of time. But why are we not moving this discussion to the proper thread started by Russel on the SELinux mailing list ? My original question had nothing to do with this, as it was about policy management. There we could discuss and plan how to improve the documentation further. Regards, Guido