-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Bill Nottingham wrote:
I was writing policy today, and I couldn't help notice a lot of repetitiveness in our policy:
libs_use_ld_so(...) libs_use_shared_libs(...)
These are needed by, well, everything. Can't they be assumed-unless-denied?
Similarly, 99% of confined apps need:
miscfiles_read_localization() files_read_etc_files(.) pipes & stream sockets
Is there a way to streamline policy so there is a lot less repetition?
Bill
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
We have talked about this in the past, and so far it has not gone anywhere. The original goal when refpolicy policy was first written was to allow more fine grained control then the example policy, which grouped large amounts of access rules within a single macro. (can_network) for example. So we wanted to avoid this, and perhaps the pendulum swung too far to the opposite degree.