-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/12/2011 09:40 AM, Christopher J. PeBenito wrote:
> On 10/07/11 14:24, Daniel J Walsh wrote:
>> Right now, every domain that transitions to another domain gets
>> the following rule written.
>>
>> dontaudit SOURCE TARGET : process { noatsecure siginh rlimitinh }
>> ;
>>
>> In Fedora 17 policy right now we have 2152 rules, out of
>> Dontaudit: 9415
>>
>>
>> sesearch --dontaudit -p noatsecure | wc -l 2152
>>
>> We could rewrite this with one rule.
>>
>> dontaudit domain domain:process { noatsecure siginh rlimitinh }
>> ;
>>
>> Of course this is more lenient then what we have now, although
>> since it is dontaudit rules, not sure it matters.
>>
>> Comments?
>
> I'm on the fence. On one hand, I hate to overspecify the policy,
> but on the other hand, these perms can only be hit on a domain
> transition. How much does this save?
>
2000/90000
2% of the size of policy.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6VoOYACgkQrlYvE4MpobP1owCfTdsEIG7MMy4PyOt05FfeANYx
U6UAmgKEgYIoER1S9qa7Ev3hxPH/73H4
=+vp+
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
