[CentOS] SELinux - way of the future or good idea but !!!
Warren Young
warren at etr-usa.com
Thu Dec 9 20:33:13 UTC 2010
On 12/9/2010 1:54 AM, David Sommerseth wrote:
>
> For the vast majority of issues with SELinux, it possible to overcome
> them using the provided tools.
Of course, but I think you're mistaking "possible" for "practical".
Everyone has different incentives and constraints.
Allow me build an analogy with GUI program design. The tools provided
with the OS are sufficient for any program to be beautifully designed.
We have powerful graphics editors, solid GUI libraries, mature GUI
builders, and unprecedentedly powerful means for finding and attracting
design talent. Yet, most Linux GUI programs are not as nicely designed
as the best counterparts on Windows and OS X.
Why?
Not everyone cares enough to make their GUI program beautiful,
especially in a world where a) most of the software is free-as-in-beer;
and b) the culture has developed a knee-jerk "if you don't like it go
use something else we're volunteers here you ungrateful bastard"
reaction to criticism. (I should note here that I'm the primary
maintainer of a popular free software package, and I, too have told
people to go pound sand when they told me I *need to* do something in
order to make my successful project succeed. As in another post in this
thread, I'm not disparaging here, just reporting.)
On Windows and OS X, the incentives are different. More software costs
money, and among the ways to convince people to pay money for software
when there are free alternatives, one way is to make the software more
beautiful, and another is to make it easier to use.
Now let's apply that same thinking to SELinux.
First, not all open source projects have the proper incentives to
support SELinux. One reason might be that the project started on one of
the BSDs and its primary maintainers still use that platform. Their
community may be uninterested in providing patches, and they're unlikely
to write software that doesn't benefit them in some way.
Then you have the packagers. Those packages not made by people trying
to get the package into the Fedora or RHEL official repositories aren't
required to support SELinux, so they may choose not to if they don't
themselves use SELinux.
Next there are those who just wish to install and use the software.
They may not wish to dig into the package to fix SELinux problems any
more than you see Joe Shellprompt fixing any of the many other other
common problems you find constantly kicked back upstream through
complaints in bug trackers and on mailing lists.
That takes us full circle, no one has fixed the issue, and without a
sufficient change in the set of user incentives for that package, the
cycle will repeat.
More information about the CentOS
mailing list