On Fri, Jul 24, 2020 at 3:54 AM Dominick Grift <dominick.grift@xxxxxxxxxxx> wrote: > > > > On 7/23/20 3:24 PM, Stephen Smalley wrote: > > There is a tension there with fail-closed versus fail-open and the > > potential for a security vulnerability to arise if it proceeds. Would > > have to look at the specifics to evaluate how it should be handled. > > Of course, in practice, one really shouldn't be removing contexts > > while they are still in use (or else use aliases to preserve some > > degree of compatibility). > > > > I guess if there is tension be between GNU/Linux use of libselinux and > SEAndroids use of libselinux, where SE for Android is implemented by the > vendor to be immutable by the device owner, and where GNU/Linux > leverages SELinux to empower device owners, then any tension can be > alleviated if Google forks libselinux. In GNU/Linux it should just be > possible to switch policies. I wasn't talking about Android, just about the tension of fail-closed/secure versus fail-open/insecure in general. I don't have any problem with someone installing a new policy that completely changes the set of file contexts; I just don't think they should do that at runtime without a reboot in between and expect things to work seamlessly.
