-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/12/2011 02:45 PM, Christopher J. PeBenito wrote:
> On 10/12/11 14:10, Daniel J Walsh wrote:
>> On 10/12/2011 01:37 PM, Christopher J. PeBenito wrote:
>>> On 10/12/11 10:15, Daniel J Walsh wrote:
>>>> On 10/12/2011 09:40 AM, Christopher J. PeBenito wrote:
>>>>> On 10/07/11 14:24, Daniel J Walsh wrote:
>>>>>> Right now, every domain that transitions to another
>>>>>> domain gets the following rule written.
>>>>>>
>>>>>> dontaudit SOURCE TARGET : process { noatsecure siginh
>>>>>> rlimitinh } ;
>>>>>>
>>>>>> In Fedora 17 policy right now we have 2152 rules, out of
>>>>>> Dontaudit: 9415
>>>>>>
>>>>>>
>>>>>> sesearch --dontaudit -p noatsecure | wc -l 2152
>>>>>>
>>>>>> We could rewrite this with one rule.
>>>>>>
>>>>>> dontaudit domain domain:process { noatsecure siginh
>>>>>> rlimitinh } ;
>>>>>>
>>>>>> Of course this is more lenient then what we have now,
>>>>>> although since it is dontaudit rules, not sure it
>>>>>> matters.
>>>>>>
>>>>>> Comments?
>>>>
>>>>> I'm on the fence. On one hand, I hate to overspecify the
>>>>> policy, but on the other hand, these perms can only be hit
>>>>> on a domain transition. How much does this save?
>>>>
>>>>
>>>> 2000/90000
>>>>
>>>> 2% of the size of policy.
>>
>>> Based on my test of all Refpolicy modules compiled in, the
>>> size went from 4687381 to 4667101, a 20kB difference. If
>>> someone was trying to squeeze everything out for an embedded
>>> system policy, I could see this change, but otherwise, it
>>> doesn't seem very compelling.
>>
>> That is because you have not already shrunk your policy to the
>> degree that Fedora has. F17 is down to this.
> [...]
>> Allow: 83205 Neverallow: 0 Auditallow:
>> 10 Dontaudit: 6079
>
> I don't understand. The change in Refpolicy was 1690 dontaudit
> rules. If thats a 20kB change in Refpolicy, the 2151 rule change
> in the Fedora policy would probably be ~25kB. What is the current
> size of the Fedora policy (policy.26 on disk)?
>
ls -l /etc/selinux/targeted/policy/policy.26
- -rw-r--r--. 1 root root 1993514 Oct 11 11:14
/etc/selinux/targeted/policy/policy.26
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk6V5SgACgkQrlYvE4MpobMPbwCgpskAh3I/i7UX2dLUCk6y6tsY
uI4An1cbF0C9rPG3M0P4dKus/Mi1zGE3
=WTYs
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
