Re: No more selinux-policy-*-sources

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Arjan van de Ven wrote:
Not an answer to your question but there's an interesting discussion on AppArmor and SELinux in Dan Walsh's blog:

http://danwalsh.livejournal.com/424.html


maybe it's time to accept that SELinux as technology is doomed. Not
because the code is bad, but because it's Just Too Complex(tm).
Complexity kills, and I think the time it is taking to get to the point
where at least less than 99% of the people turns selinux off first thing
is waay too long already.

Maybe it's a matter of focus; sometimes I get the impression the focus
is to give more coverage rather than to get the existing coverage to the
point where people use it... but maybe the later is just so much work
and so time consuming that it takes more time to get it than it takes
the codebase to change again.

Arjan,

Nice to hear from you. I think that SELinux is just getting to the point where it is ready for steady improvements in usability. I will admit that we are being pulled by multiple forces. I feel as I stated in my Blog that there are three groups pulling at SELinux, System Administrators who just want to get the damn thing working. Software Application Developers who are kicking the tires to see if SELinux could help them protect there applications and finally Security people who are focused on things like protecting information flow. Perhaps in the past we have been focused too heavily on the last group.

With loadable modules we are at the point where we can start to address all three groups, and you see products emerging to handle all three. Are these products coming fast enough, I don't know. Can we use help, yes.

Loadable modules are providing a framework for just getting the damn thing working, in RHEL 4 and FC4, you needed to install policy-sources in order to make small customizations to policy, in FC5 you can just create a small policy module to fix your problem. Loadable modules gives us the opportunity to allow third parties to ship there own policy, and for us to start to break up the policy from one big blob to the point where it is shipped with individual packages. I equate SELinux to the point when personal firewalls were first being introduced to each computer, everyone at that point just turned them off. But eventually the technology got to the point where most people don't
realize they have a firewall running on there system.

Maybe we need a top ten list of things that I don't like about SELinux and then we can work to fix them.

Dan

--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux