-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/10/2012 04:41 PM, Les Mikesell wrote:
On Tue, Jan 10, 2012 at 3:26 PM, Daniel J Walsh dwalsh@redhat.com wrote:
Again, there is nothing that we do that is Vendor specific, Everything we do with SELinux is open source. We are working to get our stuff upstream.
I have no idea what you are talking about as far as variations in Linux Distributions. I work regularly with people in Centos, RHEL, gentoo, ubunto, debian, fedora and today even Mandriva. SELinux was just released for android also. As I tweeted yesterday.
OK, so the part that breaks things is getting widely shipped. Are the parts that make each specific application work again getting pushed upstream into the corresponding projects?
That is not the way it works. SELinux Reference policy is a database of rules that govern the default ways application run. These rules that have been written for Fedora/RHEL are public and are being moved upstream. Different Distributions can choose to use these policies or write there own. Out of the Reference Policy you can build your own version of targeted or MLS policy or you can write your policy from scratch.
http://fedoraproject.org/wiki/SELinux/Policies http://oss.tresys.com/projects/refpolicy
We do not ship apache policy with the apache package, so we do not attempt to get the apache policy upstreamed to the apache package. This allows different people to write their own policies on how they want to run apache or they can grab the reference policy version.
The place that SELinux breaks applications is when an application does something that SELinux did not expect. I wrote a paper and presentation on the four main causes of SELinux issues.
http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_t...
http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux4things...