Re: experimental relaxed policy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 3 May 2004, Thomas Molina wrote:

> > an arbitrary number of 5 for now and are trying to figure out which are 
> > the 5 daemons we would like to put in relaxed policy.
> > 
> > My ideas are
> > 
> > apache
> > bind
> > sendmail
> > ftp
> > ssh???  (Not sure this one is worth securing).
> 
> I am apparently not expressing myself well.  My point is that if we are 
> relaxing policy to the point where you are relying on DAC, what is the 
> point?  I want to test strict policy on those things where it most makes a 
> difference.  In that vein, sendmail and bind are two which have 
> historically had a lot of problems.  I would think those would be 
> candidates for stricter policy, not more permissive.

There is a bit of confusion here, totally understandable.

The daemons referred to above are candidates for being strictly
controlled.

The term 'relaxed policy' here refers to the concept of providing very
strict policies for a small, critical subset of the system, then allowing
the rest of the system to be unconfined.  It's relaxed in terms of not
trying to provide strict policies for every domain.


- James
-- 
James Morris
<jmorris@xxxxxxxxxx>



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux