[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Keeping SELinux on (was Attention: Proprietary video driver users (ATI, Nvidia, etc.))



Ron Yorston wrote:
Ivan Gyurdiev wrote:
Anyway, the fact that it's a tiny subset of applications doesn't mean that it wouldn't be helpful to get developer review of the policy, and participation/patches.

Quite so.  But my concern isn't with the few developers working on
critical infrastructure:  by all means have them learn about SELinux
and review policy.

However, I don't think it's reasonable to expect application developers
/in general/ to be responsible for making their applications work in
the presence of SELinux, any more than one could expect corporate admins
/in general/ to have a detailed understanding of SELinux policy.
That depends on your point of view.

If you consider selinux a feature to be used by a tiny subset of users (those "paranoid" about security, or within an environment that requires it), then you'd be right - I shouldn't need to worry about selinux if the majority of my target audience didn't use it.

If you take the point of view that selinux will be widely deployed and eventually become as standard as tradictional Unix DAC, then yes, I would certainly have an expectation that most application developers would become aware of it eventually, just as they are aware of Unix DAC.

I don't know what will happen, but I prefer the second option, so I would encourage people to become familiar with those issues. I think this is also the goal behind enabling targeted policy by default in Fedora - to make the technology more widespread, and useful to more people.

Btw, I do have hopes that the Desktop will be confined in the future. I think technology in strict policy will mature, become more flexible, and be slowly integrated into targeted eventually, once it meets the requirements of Joe User (which it doesn't at this time).


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]