On Tue, 13.12.16 14:25, Matthew Miller (mattdm@xxxxxxxxxxxxxxxxx) wrote: > On Tue, Dec 13, 2016 at 10:42:08AM -0800, Japheth Cleaver wrote: > > >For a less-effort version, we could update > > >https://fedoraproject.org/wiki/Packaging:Systemd and have an (internal) > > >marketing campaign asking people to update their packages (as > > >suggested, ideally upstream). > > > > I'd much rather that effort be put into good SELinux policy > > evangelization, documentation, and perhaps additional > > admin-controllable booleans. > > That takes a lot more specific SELinux expertise — I don't think it's > likely that the packager of everything that has a .service file in > Fedora has the SELinux knowledge to do that, while adding these > restrictions is much more straightforward. Yeah, this is really what it boils down to: the goal with the systemd directives is to make things easy to grok and easy to change. I can probably explain to most Linux admins who have administered a current Fedora in 5min what ProtectSystem=strict and ReadWritePaths=/var/lib/myservice does, and why it's a good thing. And afterwards he can easily add this to his own services. With SELinux that's not that easy: the concepts are much more complex (at least in my opinion, but I am sure many will agree), and as the selinux policy is packaged centrally making a change is not trivially easy to do. That said, SELinux and the systemd sandboxing directives are very different concepts. I don't think they are in competition really, and I am pretty sure everybody would benefit if both the SELinux policy and the systemd unit files would be improved. Lennart -- Lennart Poettering, Red Hat _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
