On 2017-07-12, mcatanzaro(a)gnome.org <mcatanzaro(a)gnome.org> wrote:
Very few applications actually have SELinux profiles, and they are
all
maintained downstream rather than upstream. The volume of erroneous
SELinux denials in Bugzilla is too high, and the response time for
fixing them too slow. SELinux profiles work best when they are
maintained upstream by application developers who are familiar with
SELinux, not by SELinux developers who are unfamiliar with the
application.
The issue with SELinux is that it's monolithic and program-centeric. You
cannot write a SELinux policy that keeps pace with updated libraries.
E.g. you have a program that resolves user names to UIDs via glibc. If
nsswitch changes it's configuration to use LDAP, the program starts
making TCP connection. Or you have a program that links to a library
that enables JIT and then the program starts requiring writetable and
executable memory mapping.
So a change in a dependency out of control of the program upstream
invalidates the policy. That's the reason why SELinux policy is
maintained downstream.
-- Petr