On Mon, 3 May 2004, Thomas Molina wrote: > > an arbitrary number of 5 for now and are trying to figure out which are > > the 5 daemons we would like to put in relaxed policy. > > > > My ideas are > > > > apache > > bind > > sendmail > > ftp > > ssh??? (Not sure this one is worth securing). > > I am apparently not expressing myself well. My point is that if we are > relaxing policy to the point where you are relying on DAC, what is the > point? I want to test strict policy on those things where it most makes a > difference. In that vein, sendmail and bind are two which have > historically had a lot of problems. I would think those would be > candidates for stricter policy, not more permissive. There is a bit of confusion here, totally understandable. The daemons referred to above are candidates for being strictly controlled. The term 'relaxed policy' here refers to the concept of providing very strict policies for a small, critical subset of the system, then allowing the rest of the system to be unconfined. It's relaxed in terms of not trying to provide strict policies for every domain. - James -- James Morris <jmorris@xxxxxxxxxx>
