On Tue, Dec 19, 2017 at 04:13:52PM -0000, Michael Catanzaro wrote: > In order to consistently enforce our minimum standards of quality for > applications that are installed by default, we did indeed vote in > favor of getting worse bug reports. I expect this will make it much > more difficult to solve SELinux problems. If so, we will probably > wind up discussing whether to disable SELinux altogether sooner > rather than later. (That's never received nearly enough support in > the past, but who can say what the future holds.) I'd be interested in seeing a workstation-targeted SELinux policy, covering: * svirt for virtual machines * svirt for Docker/OCI/atomic containers * whatever sandboxing for flatpak * some of the very fundamental protections for X (are there equivalents in wayland?) * maybe a more carefully thought-through policy for firefox? it's hard! * maybe something wrapping tracker miners? or maybe we rely on secomp? and basically just let everything else through. That would leave protection in some of the areas where it really makes a big difference, with fewer AVCs which don't really affect use. People who want to do development and want to opt-in to the stricter policy could. I know that recently it seems like there hasn't been as much attention on SELinux issues in Fedora (see devel list threads), and I think having a simpler workstation policy would allow the limited maintenance time to be spent on things that have a big impact rather than on... yet another random program trying to write to tmp and it's really fine and whatnot. > I suspect that the desktop team does not intend to assign resources > to this problem, so it will be up to people who care about SELinux to > work on a solution for avoiding this, if they care to do so. Well, if a reporting GUI is desired, we're gonna need someone with skill at making GUI apps, or else we get... well, the thing we have. :) > My recommendation would be to add SELinux problem reporting > functionality in a way that involves a very simple GUI and absolutely > zero technical details. Or, perhaps it would be wisest to give up on > having any UI for this and just send the bug report in the > background, like ABRT does. That seems reasonable too. -- Matthew Miller <mattdm@xxxxxxxxxxxxxxxxx> Fedora Project Leader _______________________________________________ desktop mailing list -- desktop@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to desktop-leave@xxxxxxxxxxxxxxxxxxxxxxx
