On Thu, 02 Jun 2005 01:29:00 -0400, Valdis.Kletnieks wrote: > Well, technically, if it isn't centralized, you don't have a prayer of any > *real* enforcement. There's days when I think that Casey is right, and even > the *current* strict scheme isn't centralized and top-down design enough. I see your point, and I see the points about centralised analysis. That said, you seem to be saying you prefer an all or nothing situation. Maybe I'm wrong but I think a partly locked down program is still better than one running in unconfined_t right? Even if the policy was written by a non-expert. At some point if policy isn't actually pushed upstream you'll hit the limits on the size of the policy you guys can maintain without constant tweaks to fix updates sucking up more time than adding new policy. Or worse, the policy will bit rot over time as apps start requiring new privileges in edge cases that aren't tested and so SELinux will cause more and more "bugs", and people will start switching it off. thanks -mike -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
