Arjan van de Ven wrote:
Not an answer to your question but there's an interesting discussion on
AppArmor and SELinux in Dan Walsh's blog:
http://danwalsh.livejournal.com/424.html
maybe it's time to accept that SELinux as technology is doomed. Not
because the code is bad, but because it's Just Too Complex(tm).
Complexity kills, and I think the time it is taking to get to the point
where at least less than 99% of the people turns selinux off first thing
is waay too long already.
Maybe it's a matter of focus; sometimes I get the impression the focus
is to give more coverage rather than to get the existing coverage to the
point where people use it... but maybe the later is just so much work
and so time consuming that it takes more time to get it than it takes
the codebase to change again.
Arjan,
Nice to hear from you. I think that SELinux is just getting to the
point where it is ready for steady improvements
in usability. I will admit that we are being pulled by multiple
forces. I feel as I stated in my Blog that there are three groups
pulling at SELinux, System Administrators who just want to get the damn
thing working. Software Application Developers who are kicking the
tires to see if SELinux could help them protect there applications and
finally Security people who are focused on things like protecting
information flow. Perhaps in the past we have been focused too heavily
on the last group.
With loadable modules we are at the point where we can start to address
all three groups, and you see products emerging to handle all three.
Are these products coming fast enough, I don't know. Can we use help, yes.
Loadable modules are providing a framework for just getting the damn
thing working, in RHEL 4 and FC4, you needed to install policy-sources
in order to make small customizations to policy, in FC5 you can just
create a small policy module to fix your problem.
Loadable modules gives us the opportunity to allow third parties to ship
there own policy, and for us to start to break up the policy from one
big blob to the point where it is shipped with individual packages.
I equate SELinux to the point when personal firewalls were first being
introduced to each computer, everyone at that point just turned them
off. But eventually the technology got to the point where most people
don't
realize they have a firewall running on there system.
Maybe we need a top ten list of things that I don't like about SELinux
and then we can work to fix them.
Dan
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list