On Fri, Apr 30, 2004 at 12:14:08PM -0400, Stephen Smalley wrote:
> One thing to consider is that the "relaxed" policy may actually end up
> being more "secure" for the set of security goals it targets. Perhaps a
> better term than "relaxed" would be "specialized" or "targeted". Given
> a small focused set of security goals, you can more easily specify the
> policy and analyze it for exceptions. In contrast, when you try to put
> every process in its own sandbox while supporting existing functionality
> (particularly functionality that isn't used to living in sandboxes), it
> becomes very difficult to analyze the resulting large, complex policy to
> see whether it meets your higher level goals (e.g. don't let apache
> subvert a trusted process).
This sounds like a very good approach, and is much less threatening to a
sysadmin with a large base of systems and users that are all basically
working fine now.
--
Matthew Miller mattdm@xxxxxxxxxx <http://www.mattdm.org/>
Boston University Linux ------> <http://linux.bu.edu/>
|
