On Tue, 2006-03-14 at 18:36 +0100, Ralf Ertzinger wrote: > Hi. > > On Tue, 14 Mar 2006 12:30:08 -0500, Stephen Smalley wrote: > > > Go read: > > http://www.ranum.com/security/computer_security/editorials/dumb/ > > So shipping the targetted policy is a dumb idea. RH will be glad to hear that. Targeted policy is just a policy configuration of the SELinux mechanism, which remains default deny by nature. Targeted policy just differs from strict in what it allows to happen. And targeted policy is a way of gradually introducing people to real MAC, which does take time, as it is a paradigm shift. Note the evolution of targeted policy in Fedora - it went from a handful of daemons in FC3 to a much larger set in FC4 to an even larger set in FC5. Meanwhile, with the ongoing work on policy tools and management infrastructure, the feasibility of making strict policy the default in the future is becoming more realistic (still not there, but not unreasonable once the necessary infrastructure is in place). -- Stephen Smalley National Security Agency -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
