Expanding the list of "Hardened Packages"
Adam Williamson
awilliam at redhat.com
Tue Apr 16 23:16:17 UTC 2013
On 13/04/13 11:36 AM, Kevin Kofler wrote:
> And I would argue that this amounts to second-guessing/duplicating what the
> program tries to do in an unmaintainable morass of rules, which even for the
> targeted policy (which is not even close to covering all programs in Fedora
> other than as "unconfined") keeps having bugs which need to be fixed every
> day, even after YEARS of debugging. SELinux just does not scale,
SELinux keeps having bugs *because* they progressively build out the
policies. The coverage of the -targeted policy is now greater than it
was a few releases back. If they kept the coverage of the stock policies
the same over time there would be almost no new bugs, but instead, they
increase the coverage and hence the security it provides progressively
with each release. *Some* bugs are associated with files moving or
program functionality changing or whatever, but most are just the result
of the policies growing: the 'scaling' that you say isn't working.
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
http://www.happyassassin.net
More information about the devel
mailing list