On Tue, 13.12.16 14:25, Matthew Miller (mattdm(a)fedoraproject.org) wrote:
On Tue, Dec 13, 2016 at 10:42:08AM -0800, Japheth Cleaver wrote:
> >For a less-effort version, we could update
> >https://fedoraproject.org/wiki/Packaging:Systemd and have an (internal)
> >marketing campaign asking people to update their packages (as
> >suggested, ideally upstream).
>
> I'd much rather that effort be put into good SELinux policy
> evangelization, documentation, and perhaps additional
> admin-controllable booleans.
That takes a lot more specific SELinux expertise — I don't think it's
likely that the packager of everything that has a .service file in
Fedora has the SELinux knowledge to do that, while adding these
restrictions is much more straightforward.
Yeah, this is really what it boils down to: the goal with the systemd
directives is to make things easy to grok and easy to change. I can
probably explain to most Linux admins who have administered a current
Fedora in 5min what ProtectSystem=strict and
ReadWritePaths=/var/lib/myservice does, and why it's a good thing. And
afterwards he can easily add this to his own services. With SELinux
that's not that easy: the concepts are much more complex (at least in
my opinion, but I am sure many will agree), and as the selinux policy
is packaged centrally making a change is not trivially easy to do.
That said, SELinux and the systemd sandboxing directives are very
different concepts. I don't think they are in competition really, and
I am pretty sure everybody would benefit if both the SELinux policy
and the systemd unit files would be improved.
Lennart
--
Lennart Poettering, Red Hat