Keeping SELinux on (was Attention: Proprietary video driver users (ATI, Nvidia, etc.))
Ivan Gyurdiev
ivg2 at cornell.edu
Fri Feb 24 13:16:40 UTC 2006
Ron Yorston wrote:
> Ivan Gyurdiev wrote:
>
>> Anyway, the fact that it's a tiny subset of applications doesn't mean
>> that it wouldn't be helpful to get developer review of the policy, and
>> participation/patches.
>>
>
> Quite so. But my concern isn't with the few developers working on
> critical infrastructure: by all means have them learn about SELinux
> and review policy.
>
> However, I don't think it's reasonable to expect application developers
> /in general/ to be responsible for making their applications work in
> the presence of SELinux, any more than one could expect corporate admins
> /in general/ to have a detailed understanding of SELinux policy.
>
That depends on your point of view.
If you consider selinux a feature to be used by a tiny subset of users
(those "paranoid" about security, or within an environment that requires
it), then you'd be right - I shouldn't need to worry about selinux if
the majority of my target audience didn't use it.
If you take the point of view that selinux will be widely deployed and
eventually become as standard as tradictional Unix DAC, then yes, I
would certainly have an expectation that most application developers
would become aware of it eventually, just as they are aware of Unix DAC.
I don't know what will happen, but I prefer the second option, so I
would encourage people to become familiar with those issues. I think
this is also the goal behind enabling targeted policy by default in
Fedora - to make the technology more widespread, and useful to more people.
Btw, I do have hopes that the Desktop will be confined in the future. I
think technology in strict policy will mature, become more flexible, and
be slowly integrated into targeted eventually, once it meets the
requirements of Joe User (which it doesn't at this time).
More information about the devel
mailing list