Le jeudi 18 octobre 2007 à 10:57 +0300, Panu Matilainen a écrit : > On Thu, 18 Oct 2007, Nicolas Mailhot wrote: > > You could make the same arguments for user names, unix permissions or > > file location — a lot them have different values in the wild than in > > Fedora and yet we store our policy in rpm. > > The difference here is that we don't even try to support several > different policies (including custom local policies on top of the distro > policies) for user names, permissions etc. If we did, we'd be in the very > same swamp as with SELinux currently. And the swamp root is not in-spec definition of our security policy the swamp root is trying to manage several set of security policies without getting one right distro-wide first. The more I think about it the more I'm convinced we should have started by adopting a lax Fedora selinux policy (and get it supported by all packages and distro tools including getting selinux labels in-spec like all our other policies) and then spent the following releases tightening it instead of doing all at once, compromising on tool support to be a jack-of-all-trades, and get nowhere. We don't do file relocation. We don't do debian suggests. We forced a single encoding on everyone. We don't do a lot of things that would mean letting users choose instead of getting our Fedora policy right. For selinux we went the other way and everyone can see the resulting disaster. > I'm not claiming there is no problem. What I'm saying is that storing the > labels within RPM doesn't fix a thing. It stops the pretense selinux is special and can not be integrated properly. -- Nicolas Mailhot -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
