On Fri, Apr 30, 2004 at 10:03:51AM -0400, Stephen Smalley wrote: > On Fri, 2004-04-30 at 09:24, Jeremy Katz wrote: > > I think (consistent with my view a few months ago :-) that this is a > > very good idea. At the same time, it's something that's clearly not > > realistic to target for FC2 since the last test release just went out > > and so it'd be going out with very little testing. > > That's fine; it can always be introduced post-FC2. It matters little > for FC2 given that SELinux will be disabled by default for it anyway. Yes a small focused policy is a good thing and much better than apparently inviting people to boot with SELinux off. This would keep the security checking code paths active, but with a minimum list of things to check the impact would be minimized. This includes syslog noise as well. A minimized policy would remove much demand to remove or hobble the kernel side mechanism and minimize any divergence that developers might wish to introduce. I happen to like the current effort to "classify everything" but this is a big task. Since not all packages that folks like to use pass through RH hands the task is almost unbounded. -- T o m M i t c h e l l /dev/null the ultimate in secure storage.
