On Tue, 2006-03-14 at 15:13 +0100, Arjan van de Ven wrote: > > Not an answer to your question but there's an interesting discussion on > > AppArmor and SELinux in Dan Walsh's blog: > > > > http://danwalsh.livejournal.com/424.html > > > maybe it's time to accept that SELinux as technology is doomed. Not > because the code is bad, but because it's Just Too Complex(tm). > Complexity kills, and I think the time it is taking to get to the point > where at least less than 99% of the people turns selinux off first thing > is waay too long already. > > Maybe it's a matter of focus; sometimes I get the impression the focus > is to give more coverage rather than to get the existing coverage to the > point where people use it... but maybe the later is just so much work > and so time consuming that it takes more time to get it than it takes > the codebase to change again. No, there is quite a bit of ongoing work on improving useability for SELinux, including several new higher level tools that have been recently released. But don't conflate the user interface with the mechanism - if you limit the OS access control mechanism by what is immediately useable by end users, then you end up with a solution that can never be secure (to wit: AppArmor and its path-based configurations). You need to get the mechanism right first, which is what we've done in SELinux, and then you build the nice UI on top of that. You might find the Useability discussion from the SELinux summit of interest, see the summit minutes at: http://www.selinux-symposium.org/2006/summit.php -- Stephen Smalley National Security Agency -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
