On Friday, 12 June 2020 9:00:05 PM AEST Denis Obrezkov wrote: > At the same time, some parts of SELinux are very unstable. Like, MCS. It > was introduced and it is used only for VM management. And mcstransd is > bad. It's really bad. I was trying to use it and it was totally > unstable. So, even if someone wants to use MCS - it is almost impossible > because tools are unstable and MCS is already almost exclusively used by > VMs. Systemd has the ability to dynamically create and manage UIDs. It could do the same with MCS categories. Having systemd manage multiple daemons doing similar tasks with either MCS categories or the other systemd mechanisms (namespaces etc) used to isolate them instead of different types is something we could do. There are a heap of daemons that use a TCP or UDP socket, write to logs, and maintain a data store (database server, proxy server, dhcp server, and samba all look fairly similar from a certain perspective), having an entirely separate policy for each one doesn't seem useful. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
