On Tue, Feb 18, 2020 at 10:34 PM Lukas Vrabec <lvrabec@xxxxxxxxxx> wrote: > Hi All, > > I'll try to answer inline. :) > > On 2/18/20 1:18 AM, Paul Moore wrote: > > I'm sure Lukas has seen this by now, but explicitly adding him just in case :) > > > > Yes, Paul is right I saw it, sorry for late reply, these months are > quite busy for me. > > The truth is, I'm no longer selinux-policy maintainer for Fedora and Red > Hat Enterprise Linux, however I'm still part of the team. :) > > Zdenek Pytela, took maintenance responsibilities for selinux-policy > component. (adding him to CC) > > > Fedora SELinux folks, Fedora has long held a special place at the > > forefront of SELinux development and it is a bit of a shame that the > > default SELinux policy on Fedora is missing so many of the > > classes/permissions. > > Understand this point and agree with you that we're missing new classes > and permissions. However, we need to start adding new > classes/permissions wisely, to avoid introducing new SELinux policy bugs > on Stable or future Fedoras and that is the main reason why we're not > proactively accepting these patches from the refpolicy. > > > I understand that stable Fedora releases will > > grow out of sync over time, but is there some way we can keep Rawhide > > current with upstream? > > > > I fully agree that we should merge commits from the refpolicy, which > removing unused permissions and classes. This should *NOT* break anything. > > Related to new permissions, we need to understand what are security > benefits of adding it to Fedora (and RHEL). The main goal is keep "good" > balance between usability and security (We cannot introduce any > regressions by adding policy features) > > My suggestion is start with removing obsolete and unused > permissions/classes and after discussion (e.g here) we can start picking > some good candidate RFEs. > > @Ondrej, > AFAIK, you prepared PR to remove unused classes and permissions, could > we merge it? No, I didn't :) I only made a PR adding the watch permissions, which doesn't seem to be moving anywhere... But most of the Stephen's suggestions can be accomplished by simply cherry-picking the relevant commits from refpolicy so I encourage the new maintainer (on PTO this week, BTW) or anyone to just go ahead and do it. Also the perf_event class shouldn't cause many denials, I think we should just add it and add missing permissions as they appear. -- Ondrej Mosnacek <omosnace at redhat dot com> Software Engineer, Security Technologies Red Hat, Inc. _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx