Ron Yorston wrote:
Ivan Gyurdiev wrote:
Anyway, the fact that it's a tiny subset of applications doesn't mean
that it wouldn't be helpful to get developer review of the policy, and
participation/patches.
Quite so. But my concern isn't with the few developers working on
critical infrastructure: by all means have them learn about SELinux
and review policy.
However, I don't think it's reasonable to expect application developers
/in general/ to be responsible for making their applications work in
the presence of SELinux, any more than one could expect corporate admins
/in general/ to have a detailed understanding of SELinux policy.
That depends on your point of view.
If you consider selinux a feature to be used by a tiny subset of users
(those "paranoid" about security, or within an environment that requires
it), then you'd be right - I shouldn't need to worry about selinux if
the majority of my target audience didn't use it.
If you take the point of view that selinux will be widely deployed and
eventually become as standard as tradictional Unix DAC, then yes, I
would certainly have an expectation that most application developers
would become aware of it eventually, just as they are aware of Unix DAC.
I don't know what will happen, but I prefer the second option, so I
would encourage people to become familiar with those issues. I think
this is also the goal behind enabling targeted policy by default in
Fedora - to make the technology more widespread, and useful to more people.
Btw, I do have hopes that the Desktop will be confined in the future. I
think technology in strict policy will mature, become more flexible, and
be slowly integrated into targeted eventually, once it meets the
requirements of Joe User (which it doesn't at this time).
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
