On 07/12/2017 06:26 AM, mcatanzaro(a)gnome.org wrote:
I kinda agree here (though I am a bit surprised, as I did not think
you
were a very big SELinux fan). We absolutely could be investing more in
SELinux. But we have not been. Very few applications actually have
SELinux profiles, and they are all maintained downstream rather than
upstream. The volume of erroneous SELinux denials in Bugzilla is too
high, and the response time for fixing them too slow. SELinux profiles
work best when they are maintained upstream by application developers
who are familiar with SELinux, not by SELinux developers who are
unfamiliar with the application. But application developers who are
familiar with SELinux basically do not exist, and never will. So it
would be useful to have a general sandbox that works for the vast
majority of desktop apps.
On the other hand, most upstreams, even if they know about SELinux, will
rarely adopt restrictive policies. They are also not modular in the
sense that you can write a policies for an application without taking
their library dependencies into account, or policies for libraries
without examining how applications use the library. And when it comes
to rarely used features, I don't think many upstreams would implement
them and then prevent their use with a security policy.
The app store model also assumes that the app store operator acts as
some sort of gate keeper, so there has to be some policy enforcement at
this level, too. It is not sufficient to pass through just what the
application developer asked for.
Thanks,
Florian