On Fri, Apr 30, 2004 at 12:14:08PM -0400, Stephen Smalley wrote: > One thing to consider is that the "relaxed" policy may actually end up > being more "secure" for the set of security goals it targets. Perhaps a > better term than "relaxed" would be "specialized" or "targeted". Given > a small focused set of security goals, you can more easily specify the > policy and analyze it for exceptions. In contrast, when you try to put > every process in its own sandbox while supporting existing functionality > (particularly functionality that isn't used to living in sandboxes), it > becomes very difficult to analyze the resulting large, complex policy to > see whether it meets your higher level goals (e.g. don't let apache > subvert a trusted process). This sounds like a very good approach, and is much less threatening to a sysadmin with a large base of systems and users that are all basically working fine now. -- Matthew Miller mattdm@xxxxxxxxxx <http://www.mattdm.org/> Boston University Linux ------> <http://linux.bu.edu/>
