From: guido@trentalancia.com (Guido Trentalancia) Date: Fri, 18 Mar 2011 16:25:47 +0100 Subject: [refpolicy] Question: and the policy grows... In-Reply-To: <4D835FBD.4020704@tresys.com> References: <1300369855.30425.14.camel@tesla.lan> <4D8219D9.7080504@redhat.com> <1300377867.30425.40.camel@tesla.lan> <4D823A60.9020107@redhat.com> <4D824AC3.4070502@tresys.com> <1300392941.31755.17.camel@tesla.lan> <4D835FBD.4020704@tresys.com> Message-ID: <1300461947.17276.2.camel@tesla.lan> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, 18/03/2011 at 09.35 -0400, Christopher J. PeBenito wrote: > On 03/17/11 16:15, Guido Trentalancia wrote: > > On Thu, 17/03/2011 at 13.54 -0400, Christopher J. PeBenito wrote: > >> On 03/17/11 12:44, Daniel J Walsh wrote: > >>> On 03/17/2011 12:04 PM, Guido Trentalancia wrote: > >>>> On Thu, 17/03/2011 at 10.25 -0400, Daniel J Walsh wrote: > >>>>> On 03/17/2011 09:50 AM, Guido Trentalancia wrote: > > >> Right. There was ~6 years of policy development that happened before > >> Refpolicy started and we didn't want to lose the effort that went into > >> it. The idea being that after a rigorous structure was applied, there > >> is a better chance of identifying excessive permissions. That did > >> happen, and we did remove a lot of policy. But its hard finding the > >> little excessive bits that are sprinkled around the policy. > > > > So when did that happen last ? > > Its ongoing. Is it something that would be scheduled periodically or something that happens "when possible" with "best effort". > > And yes, the little excessive bits. Any idea on a method to help > > spotting that out ? > > If they were easy to find, they would have been removed already. The > point is that its not obvious. Yes, I know. In fact it is a challenging problem with very few obvious solutions. That's why I thought it was interesting to discuss it. Regards, Guido