how does rpm work under Selinux
Mike Hearn
mike at navi.cx
Thu Jun 2 06:40:28 UTC 2005
On Thu, 02 Jun 2005 01:29:00 -0400, Valdis.Kletnieks wrote:
> Well, technically, if it isn't centralized, you don't have a prayer of any
> *real* enforcement. There's days when I think that Casey is right, and even
> the *current* strict scheme isn't centralized and top-down design enough.
I see your point, and I see the points about centralised analysis. That
said, you seem to be saying you prefer an all or nothing situation. Maybe
I'm wrong but I think a partly locked down program is still better than
one running in unconfined_t right? Even if the policy was written by a
non-expert.
At some point if policy isn't actually pushed upstream you'll hit the
limits on the size of the policy you guys can maintain without
constant tweaks to fix updates sucking up more time than adding new
policy. Or worse, the policy will bit rot over time as apps start
requiring new privileges in edge cases that aren't tested and so SELinux
will cause more and more "bugs", and people will start switching it off.
thanks -mike
More information about the fedora-selinux-list
mailing list