<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Tue, Feb 10, 2015 at 4:08 PM, Bill Frantz <span dir="ltr"><<a href="mailto:frantz@pwpconsult.com" target="_blank">frantz@pwpconsult.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 2/10/15 at 2:49 PM, <a href="mailto:leichter@lrw.com" target="_blank">leichter@lrw.com</a> (Jerry Leichter) wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
There's a more fundamental issue here: As engineers, we try to formalize everything. </blockquote></span></blockquote><div><br></div><div></div></div><div class="gmail_extra">I scanned for and did not see a mention of targeted policy on SELinux.</div><div class="gmail_extra"><br></div><div class="gmail_extra">Attempting to establish a policy for _everything_ is hard if not impossible.</div><div class="gmail_extra">However some activities like an apache web server do have well bounded </div><div class="gmail_extra">activities and lend themselves to many types of containerization.</div><div class="gmail_extra"><br></div><div class="gmail_extra">Some policy systems make objects outside of your label set invisible.</div><div class="gmail_extra">Some let you see what there is e.g. what keeps you out. One is difficult</div><div class="gmail_extra">to debug and the other harder to attack unless it is in a package that</div><div class="gmail_extra">the entire community (good+bad guys) has access to.</div><div class="gmail_extra"><br></div><div class="gmail_extra">Other policy systems are excellent at audit and make a valuable tool</div><div class="gmail_extra">for the construction of an intrusion detection system. Any policy tool without </div><div class="gmail_extra">audit is lacking. To this end I tend to install SELinux and use it as</div><div class="gmail_extra">an audit tool on friendly systems and as an enforcing tool on boxes </div><div class="gmail_extra">exposed to the wild.</div><div class="gmail_extra"><br></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"> T o m M i t c h e l l</div></div>
</div></div>