On 2017-07-12, [email protected] <[email protected]> wrote: > Very few applications actually have SELinux profiles, and they are all > maintained downstream rather than upstream. The volume of erroneous > SELinux denials in Bugzilla is too high, and the response time for > fixing them too slow. SELinux profiles work best when they are > maintained upstream by application developers who are familiar with > SELinux, not by SELinux developers who are unfamiliar with the > application.
The issue with SELinux is that it's monolithic and program-centeric. You cannot write a SELinux policy that keeps pace with updated libraries. E.g. you have a program that resolves user names to UIDs via glibc. If nsswitch changes it's configuration to use LDAP, the program starts making TCP connection. Or you have a program that links to a library that enables JIT and then the program starts requiring writetable and executable memory mapping. So a change in a dependency out of control of the program upstream invalidates the policy. That's the reason why SELinux policy is maintained downstream. -- Petr _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
