If you are maintinaing of developing a Fedora Package.

[Nicolas Mailhot]

Le jeudi 18 octobre 2007 à 10:57 +0300, Panu Matilainen a écrit :
> On Thu, 18 Oct 2007, Nicolas Mailhot wrote:

> > You could make the same arguments for user names, unix permissions or
> > file location — a lot them have different values in the wild than in
> > Fedora and yet we store our policy in rpm.
> 
> The difference here is that we don't even try to support several 
> different policies (including custom local policies on top of the distro 
> policies) for user names, permissions etc. If we did, we'd be in the very 
> same swamp as with SELinux currently.

And the swamp root is not in-spec definition of our security policy the
swamp root is trying to manage several set of security policies without
getting one right distro-wide first.

The more I think about it the more I'm convinced we should have started
by adopting a lax Fedora selinux policy (and get it supported by all
packages and distro tools including getting selinux labels in-spec like
all our other policies) and then spent the following releases tightening
it instead of doing all at once, compromising on tool support to be a
jack-of-all-trades, and get nowhere.

We don't do file relocation. We don't do debian suggests. We forced a
single encoding on everyone. We don't do a lot of things that would mean
letting users choose instead of getting our Fedora policy right.

For selinux we went the other way and everyone can see the resulting
disaster.

> I'm not claiming there is no problem. What I'm saying is that storing the 
> labels within RPM doesn't fix a thing.

It stops the pretense selinux is special and can not be integrated
properly.

-- 
Nicolas Mailhot