On Wed, 2005-02-23 at 08:56 -0500, Ivan Gyurdiev wrote:
I can't comment on that - I'm just a novice contributor and I'm trying to help with what I can. I believe they do this so that security issues are centralized in one place. I'm not sure how mandatory the mandatory access control becomes otherwise. From a practical standpoint I can tell you that writing this thing is not completely trivial, so it helps if people have some experience writing other policies.
Yes, that is what I was told before. Centralising policy lets you perform a better analysis of it, is that right?
I'm not really convinced ... you could apply that logic to any facet of software development. By all means have central groupings of experts to go for *review* of policy, but actually writing it and maintaining it downstream seems like a losing proposition (it won't always reflect the latest version of the software correctly).
That's a good point - perhaps you should discuss it on the NSA list.
That does not apply to inkscape, however, since as I've mentioned inkscape runs in the generic user_t domain, which provides basic permissions to most desktop apps. If inkscape was changed to do something specialized that didn't apply to user_t (like require RWE stack permissions), I suppose it would need its own policy.
Alright, fair enough. So you're not actually writing policy specifically for Inkscape? If this is just the result of testing various applications to see how they run in user_t then you have my apologies, I misunderstood what you are trying to do.
thanks -mike