Keeping SELinux on (was Attention: Proprietary video driver users (ATI, Nvidia, etc.))

[Ivan Gyurdiev]

Ron Yorston wrote:
> Ivan Gyurdiev wrote:
>   
>> Anyway, the fact that it's a tiny subset of applications doesn't mean 
>> that it wouldn't be helpful to get developer review of the policy, and 
>> participation/patches.
>>     
>
> Quite so.  But my concern isn't with the few developers working on
> critical infrastructure:  by all means have them learn about SELinux
> and review policy.
>
> However, I don't think it's reasonable to expect application developers
> /in general/ to be responsible for making their applications work in
> the presence of SELinux, any more than one could expect corporate admins
> /in general/ to have a detailed understanding of SELinux policy.
>   
That depends on your point of view.

If you consider selinux a feature to be used by a tiny subset of users 
(those "paranoid" about security, or within an environment that requires 
it), then you'd be right - I shouldn't need to worry about selinux if 
the majority of my target audience didn't use it.

If you take the point of view that selinux will be widely deployed and 
eventually become as standard as tradictional Unix DAC, then yes, I 
would certainly have an expectation that most application developers 
would become aware of it eventually, just as they are aware of Unix DAC.

I don't know what will happen, but I prefer the second option, so I 
would encourage people to become familiar with those issues. I think 
this is also the goal behind enabling targeted policy by default in 
Fedora - to make the technology more widespread, and useful to more people.

Btw, I do have hopes that the Desktop will be confined in the future. I 
think technology in strict policy will mature, become more flexible, and 
be slowly integrated into targeted eventually, once it meets the 
requirements of Joe User (which it doesn't at this time).