Posted Sep 23, 2004 16:24 UTC (Thu) by walters
In reply to: Complexity
Parent article: An introduction to SELinux
The files ultimately still need to have types assigned to them. No compiler can figure out what a program is actually doing with all of its files and figure out the best way to assign types to the files in order to achieve least privilege. Having a tool that looked at the file paths the application referenced and guesses types for them while constructing a policy would be somewhat useful. But it would be no substitute for a human.
In a number of cases, SELinux has revealed application bugs like the kerberos libraries trying to open /etc/krb5.conf with write permissions.
to post comments)