On Wed, 01 Jun 2005 23:29:59 BST, Mike Hearn said:
At the moment the focus seems to be on totally centralised policy
everything the user might want to run (or be secured) ... I can't see this
scaling as SELinux enters the mainstream.
Well, technically, if it isn't centralized, you don't have a prayer of any
*real* enforcement. There's days when I think that Casey is right, and even
the *current* strict scheme isn't centralized and top-down design enough.
The average user can't write policy, and can't evaluate policy - and neither
can the average developer. Quite frankly, most of the time I'm ecstatic if
I can get a user or developer to state a coherent and realistic threat model.
As a result, it will be a *long* time before we can realistically support
any model other than telling developers to ask for help on the mailing list.
Hopefully with the binary-policy stuff, at least the "how to deploy the
pieces" part will become easier.
There's additional good security reasons for the current model - the
centralized policy is driven out of a centralized development tree, and the
current open review structure both ensures double-checks and honesty among
all concerned. It's hopefully pretty hard to sneak a backdoor (intentional
or accidental) in when Dan Walsh, Russell Coker, and Stephen Smalley are
all cross-checking each other - and everybody and their pet llama are sniping
from the sidelines on this list :) On the other hand, there's no particular
reason for anybody to trust a policy shipped with MobyFrobozz 0.9.4 if it hasn't
been vetted by somebody.
(Aside to the RedHat/Fedora developers - I *like* the description Chris
PeBenito gave of how Gentoo is packaging it - he gave the example of 'ntp'
having a pre-req of 'selinux-ntp'. Having the "owners" of the two
be different people would address most of the issues this sort of thing
And quite frankly, we're not 100% of the way to understanding how to even
do a totally centralized policy - trying to expand out to other stuff might