SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
From: Topi Miettinen <toiwoton@gmail.com>
To: Russell Coker <russell@coker.com.au>, selinux-refpolicy@vger.kernel.org
Subject: Re: Are we on the wrong track?
Date: Fri, 12 Jun 2020 10:05:07 +0300
Message-ID: <df15dc67-343b-0060-27c3-12c277349e33@gmail.com> (raw)
In-Reply-To: <3243717.6S2XvbbdUs@liv>

On 12.6.2020 3.03, Russell Coker wrote:
> The reference policy is getting an increasing number of domains and types with
> an O(N^2) level of complexity for writing policy and an O(N^2) size of the
> binary policy.  In 2012 the binary policy on my machines was 560k, now it's
> over 2M.

The policy can be shrunk by disabling unused modules, mine is 760k 
because only 166 modules are enabled out of 506. Some of the modules are 
for more or less obsolete software (e.g. hal, rlogin, uucp), or they may 
target proprietary software, which may be of unknown relevance today. 
Perhaps they should be disabled by default, removed from refpolicy or 
moved aside to directory "extra" or "Attic"?

The package installer could also propose groups like "all", "most", 
"recommended", "distro-only" (disable all 3rd party stuff), "minimal" to 
enable/disable modules.

-Topi

  reply index

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-06-12  0:03 Russell Coker
2020-06-12  7:05 ` Topi Miettinen [this message]
2020-06-12  8:02 ` Dac Override
2020-06-12  9:54   ` Russell Coker
2020-06-12 10:15     ` Dominick Grift
2020-06-12 12:05       ` Russell Coker
2020-06-12 12:26         ` Dominick Grift
2020-06-12 12:53           ` Russell Coker
2020-06-12 13:20             ` Dominick Grift
2020-06-14 16:30             ` Topi Miettinen
2020-06-12 11:00 ` Denis Obrezkov
2020-06-12 11:53   ` Russell Coker
2020-06-12 11:57   ` Dominick Grift
2020-06-12 12:52 ` Chris PeBenito
2020-06-12 13:02   ` Russell Coker
2020-06-12 14:03     ` bauen1
2020-06-15 13:52     ` Chris PeBenito
2020-06-15 21:02       ` Russell Coker

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=df15dc67-343b-0060-27c3-12c277349e33@gmail.com \
    --to=toiwoton@gmail.com \
    --cc=russell@coker.com.au \
    --cc=selinux-refpolicy@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org
	public-inbox-index selinux-refpolicy

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git