Milton Yates wrote: > As I have been writing policies for Tomoyo 2.4, I have searched for any > way available to factor and simplify Tomoyo policies to make them as > generic and reusable as possible. > Most of the policies I write, currently for desktop applications, have > common sets of rules based on the services of the system they use: dbus, > X, gnome, alsa, pulse, etc. > So it is desirable to have reusable policies, and not just copy/paste > lines which is not efficient nor easy to maintain. > > I find this currently difficult to implement completely with Tomoyo. > > The best thing would be if we could name these policy groups (but > numbers could do at first) and more importantly be able to assign *more > than one group* to each domain. > That would be great and would simplify existing policies by being able > to group policies and make them easier to create/read/change/recertify, > by making policies closer to a kind of role based approach. A great proposal :) Actually, I have thought the same idea before, since there are often many repeats in each acl_group. If this idea is implemented, it is important to change to named groups rather than numbers. Otherwise it gets confusing when you see in a domain: acl_group 0 acl_group 3 acl_group 6 acl_group 10 acl_group 11 Much more usable to see something like: acl_group DEFAULT acl_group SOUND acl_group VIDEO acl_group WWW acl_group X11 I think it is up to the policy writer to ensure that there are no redundant permissions. If the groups are created thoughtfully for only common access requests then there should not be many redundant permissions. Kind regards, Jamie
TOMOYO
Fork