On 10/12/11 10:15, Daniel J Walsh wrote:
> On 10/12/2011 09:40 AM, Christopher J. PeBenito wrote:
>> On 10/07/11 14:24, Daniel J Walsh wrote:
>>> Right now, every domain that transitions to another domain gets
>>> the following rule written.
>>>
>>> dontaudit SOURCE TARGET : process { noatsecure siginh rlimitinh }
>>> ;
>>>
>>> In Fedora 17 policy right now we have 2152 rules, out of
>>> Dontaudit: 9415
>>>
>>>
>>> sesearch --dontaudit -p noatsecure | wc -l 2152
>>>
>>> We could rewrite this with one rule.
>>>
>>> dontaudit domain domain:process { noatsecure siginh rlimitinh }
>>> ;
>>>
>>> Of course this is more lenient then what we have now, although
>>> since it is dontaudit rules, not sure it matters.
>>>
>>> Comments?
>
>> I'm on the fence. On one hand, I hate to overspecify the policy,
>> but on the other hand, these perms can only be hit on a domain
>> transition. How much does this save?
>
>
> 2000/90000
>
> 2% of the size of policy.
Based on my test of all Refpolicy modules compiled in, the size went from 4687381 to 4667101, a 20kB difference. If someone was trying to squeeze everything out for an embedded system policy, I could see this change, but otherwise, it doesn't seem very compelling.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
