On Friday 12 November 2004 04:35, Jeff Johnson <n3npq@xxxxxxxxx> wrote: > >Sure - but if Red Hat feels it is ready to be a default, surely it can't > >be to much to ask that *all* developers respect that default and use > >it ? I can't see what issues for them would be unfixable *if* your claim > >that targeted is drop-in replacement is true. > > Look *all* is not the issue, development is. A change of the magnitude of > SELinux is not exactly easy, and even if *all* 1000 or so employees at > Red Hat ran SE Linux daily, it simply would not make a difference at all. I disagree. The more skilled people that test SE Linux the more bugs that will be sorted out. However realistically we have to acknowledge that most Red Hat employees are focussed on the area of work that's assigned to them and have little time for trying out new things. I think that the user-base of SE Linux inside Red Hat is growing steadily. > The other, and deeper, issue is writing policy for a build system which > has not been > seriously attempted yet afiak/ Your mach hardening experience could only > assist with > that policy goal (which is very different than writing "targeted" policy). I plan to do this for fedora.us. I may arrange a week with Warren next time we're in the same area to work this out. > I'm quite sure issues like booting failures have been "caught" by RH > developers, it's > a new roll of the die for each and every new policy, and sh*t happens. > Stabilizing > policy for everyone is a rather different issue than catching problems, > and I suggest > that there has been demonstrable improvements throughout FC2 and FC3 devel > cycles. Stabilising policy without getting rid of all security is the hard part! Making a policy that does not prevent you doing what you want is easy, making it also prevent bad things from happening is difficult. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
