1. Local policy a. Not clear where to store the local policy b. To remove permissions, policy modules must be directly modified 2. Testing policy a. No way to determine what permissions in the current policy are actually being checked for or used. 3. Restricting network access a. Multiple methods to use, but it is not clear which is the best b. The steps required are not always clear 4. Resource labeling a. It is not always clear which of following should be used to label file: semanage, restorecon, restorecond, fixfiles, setfiles, chcon, or chcat. b. If a denial occurs because of an incorrect label, it is not easy to determine what the correct type is. i. Example: textrel_shlib_t c. No way to guarantee the proper order of the portcon rules 5. Adding user and roles a. Adding a user or role takes multiple, sometimes not obvious, steps -- James Carter <jwcart2@xxxxxxxxxxxxx> National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
