I started working with selinux I Fedora Core 4 in 2005.
I've been through lots of changes.
Running in permissive mode in a multiuser environment would certainly be problematic. Running as a single user with only one unknown should be much less so.
We went from very laborious policy module creation to much easier with sealert and audit2allow and, apparently, back to being laborious.
I always review the te file to see if it is reasonable and whether it opens any extraneous holes in security. So far. I've never seen a problem, but maybe I've been lucky.
If the audit2allow and sealert give erroneous modules, then they should be deprecated. Until they are, I will continue to use them.
The reason I am stepping back from the conversation is I am apparently behind the current wisdom and I am not particularly interested in going back to producing modules laboriously.
-- _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
