No more selinux-policy-*-sources
Stephen Smalley
sds at tycho.nsa.gov
Tue Mar 14 17:51:59 UTC 2006
On Tue, 2006-03-14 at 18:36 +0100, Ralf Ertzinger wrote:
> Hi.
>
> On Tue, 14 Mar 2006 12:30:08 -0500, Stephen Smalley wrote:
>
> > Go read:
> > http://www.ranum.com/security/computer_security/editorials/dumb/
>
> So shipping the targetted policy is a dumb idea. RH will be glad to hear that.
Targeted policy is just a policy configuration of the SELinux mechanism,
which remains default deny by nature. Targeted policy just differs from
strict in what it allows to happen. And targeted policy is a way of
gradually introducing people to real MAC, which does take time, as it is
a paradigm shift. Note the evolution of targeted policy in Fedora - it
went from a handful of daemons in FC3 to a much larger set in FC4 to an
even larger set in FC5. Meanwhile, with the ongoing work on policy
tools and management infrastructure, the feasibility of making strict
policy the default in the future is becoming more realistic (still not
there, but not unreasonable once the necessary infrastructure is in
place).
--
Stephen Smalley
National Security Agency
More information about the devel
mailing list