On Fri, May 30, 2008 at 8:47 AM, Christopher J. PeBenito <cpebenito@xxxxxxxxxx> wrote: > On Fri, 2008-05-30 at 08:19 -0500, Xavier Toth wrote: >> On Wed, May 28, 2008 at 1:38 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: >> > The current XAce software is far to complex to do anything usefull in my >> > opinion. We have way too many types and transitions. We need to >> > simplify down to a lot less types. >> >> Going back to Dan's concern about the complexity of the X SELinux >> extension and the number of types and transitions I'd like to see some >> discussion/resolution. Eamon what's your position on this topic? > > I don't want to speak for Eamon, but I suspect that he would defend the > current setup since he's the one that wrote the policy. I just > restructured it to fit nicer in refpolicy and actually removed a few > types :) > > My position is that its fine as is. Simplifying it unconditionally > starts to make it less usable for people that actually want fine grained > controls on the desktop. Making things simpler tends to be easy, since > it tends to be merging types or using attributes for blanket access, > like unconfined does. The black magic voodoo that happens in the > xserver, that only a select few have previously known about, has only > recently been exposed via the SELinux controls. I feel that it may be > premature to simplify the policy, since side effects probably aren't > well understood yet. At least they aren't understood well by me yet. I can relate to that :) Voodoo note: Any post-login setuid magic will have to allow the xserver object manager to continue to audit. I chimed in on this thread because we need to get MLS X up and running locally in enforcing mode. I wanted to make sure that we (Ted and I) understood the issues involved as much as possible before changing any policy. joe -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
