On Thu, 2005-05-26 at 10:13 -0400, Valdis.Kletnieks@private wrote: > 4,821 4K slab pages. Just shy of 20M. That's with the Fedora RPM > selinux-policy-strict-1.23.14-2 and only two different user_u defined. This will all get a lot better at a fundamental level once the Tresys binary modules land, as then we can have a base binary policy module installed with Fedora and dynamically load application policy only once their associated packages are installed, in addition to easily letting the administrator add their own policy. However it's certainly feasible today to install policy-sources and apply rm -f to unneeded .te files. If you have the technical ability to write a custom LSM, I don't see how this should be a problem. > The > 'targeted' policy is a lot smaller, but you really can't do it easily with the > 'targeted' policy because that dumps everything into unconfined_t. You probably > can heave everything over the side and do up a custom policy that takes > a lot less - but it's *still* going to be more heavyweight. More heavyweight, sure - but after removing a lot of unnecessary .te files, would it still have an important impact on system performance? My guess is that you could get the strict policy down to one or two megabytes or less (i.e. not a significant impact on performance), and in that case you meet the original security goal, and could easily add additional security using the same framework (e.g. you could define a real full_user_role() for one or two users which warranted it). > Another issue with doing this in an SELinux-only solution is the maintenance cost > if you want to deploy this alongside current policy - right now, it's a lot harder > to run "strict policy with 3-5 minor changes" than it should be (which is a known > issue, related to "programs/RPMs ship their own incremental policy"). You are right there - but that's in the process of being fixed, should land in the next month or two.
This archive was generated by hypermail 2.1.3 : Thu May 26 2005 - 09:37:33 PDT