begin quoting Tracy R Reed as of Tue, Nov 08, 2005 at 01:06:37PM -0800:
> Stewart Stremler wrote:
[snip]
> > The finer-grained the control, the harder the rules are to read. :-/
>
> They are only hard to read insofar as C code is difficult for someone
> who does not know C.
Oddly enough, it's not hard in C to get the _gist_ of what's being done,
for non-obfuscated short programs, even for those who don't know C. One
of the advantages of being in the ALGOL family, doncherknow.
Cries of 'oooh, tell me what ****s->p[q] means then!' notwithstanding.
(Granted, C++ is a whole different ball of wax.)
> The above rules are fairly straightforward to
> someone who has glanced at the SE Linux docs and is familiar with the
> various Linux capabilities.
Er, that (A) is not true and (B) doesn't completely contradict what I said.
You're making "fairly" weasel about *far* to much.
(Shoot, from the SELinux documentation we read:
...it is clear that the flexibility of the mandatory access
controls also yields a corresponding increase in the complexity of
managing the security policy. Creating and maintaining a
configuration to meet a set of security requirements and verifying
that the configuration is consistent with those requirements can be
a challenging task.
and you say that it's *straightforward*?)
I don't know if it's the design of SELinux that makes reading the RH
documentation so painful, or if it's just that the documentation wasn't
written to be clear. (Or I picked the wrong half-dozen starting
documents. The web is NOT my friend, after all. None of the documents I
found had a decent state-transition diagram anywhere in 'em. Imagine,
talking about _system_ security and not including any sort of state
transition diagrams!)
Of course, I've been reading security documentation that's nigh on
thirty years old (typewriter equations anyone?), so I'm perhaps a bit
biased at the moment. Modern documentation is a lot more...fractured.
One might even say incoherent.
-Stewart "Is it a time for the 'modern documentation sucks' rant?" Stremler
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
