With all of the possible variations in security settings - strict, permissive, local, lots of users, only daemons, etc. Is there a script around somewhere - something like 'configure' which is used at the beginning of a component build - which will query various pieces of a system, do a 'setenforce 1' and then try various programs and grep the output to give some binary answer, then do 'setenforce 0' and try the same program, etc. This script would help to give struggling sysadmins some degree of confidence that what is being done to their 'policy.local' or whatever, is benign. Of course the script could be corrupted or buggy - one more thing to add to when adding or changing the SELinux system, but there would be advantages: Just as the 'no child left behind' program uses testing to measure the effectiveness of public expenditures on schools ( :-) ), a security testing script could help to test the effectiveness of the SELinux system as it evolves. A testing script would also help to rein in the tendency to add wrinkles and grow the complexity of the system - each wrinkle would have a test module to check it. BobG
