Lukas Vrabec <lvrabec@xxxxxxxxxx>: > I like to see more distros using fedora selinux-policy as deault > SELinux policy. But as Stephen mentioned, it has to come from within. > From my POV, I like that refpolicy is more strict then fedora selinux > policy, because both policies could be used for different use cases. > If there is any possible cooperation with Ubuntu or SUSE on SELinux, > I'm more then happy to discuss possibilities. I believe distros writing policies is a bad idea. It should be up to application developers to contribute not only code but also the associated systemd, firewall and SELinux integration. IOW, there should be a clear methodology for applications to participate in distros. Ideally, an application would be written once and dropped as-is into every distro out there. This document comes close to what is needed for us application developers: https://blogs.rdoproject.org/2017/09/selinux-policy-from-the-ground-up/ However, I'm a bit appalled that they would recommend: * Use audit2allow The linked document by Miroslav Grepl (<URL: https://mgrepl.fedorapeople.org/PolicyCourse/writingSELinuxpolicy_MUNI.pdf>) belongs to a largish pile of information that educates you a lot about SELinux details but fails to teach you a methodology. First off, it's not clear if the document is meant for sysadmins or application developers. I believe I understand to a reasonable degree what labels are and how SELinux does its enforcement mechanically. Similarly I understand the wavelengths of the red and blue colors, but that doesn't make me a Michelangelo. Or I understand the function of white and black piano keys, but that doesn't make me a Chopin. Advising me to use audit2allow is like telling me to keep banging the piano keys until it sounds great. Or maybe now that the kernel will allow the stacking of security modules, each application writer should write a dedicated security module for their application... Marko _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
