On 12/9/2010 1:54 AM, David Sommerseth wrote:
For the vast majority of issues with SELinux, it possible to overcome them using the provided tools.
Of course, but I think you're mistaking "possible" for "practical". Everyone has different incentives and constraints.
Allow me build an analogy with GUI program design. The tools provided with the OS are sufficient for any program to be beautifully designed. We have powerful graphics editors, solid GUI libraries, mature GUI builders, and unprecedentedly powerful means for finding and attracting design talent. Yet, most Linux GUI programs are not as nicely designed as the best counterparts on Windows and OS X.
Why?
Not everyone cares enough to make their GUI program beautiful, especially in a world where a) most of the software is free-as-in-beer; and b) the culture has developed a knee-jerk "if you don't like it go use something else we're volunteers here you ungrateful bastard" reaction to criticism. (I should note here that I'm the primary maintainer of a popular free software package, and I, too have told people to go pound sand when they told me I *need to* do something in order to make my successful project succeed. As in another post in this thread, I'm not disparaging here, just reporting.)
On Windows and OS X, the incentives are different. More software costs money, and among the ways to convince people to pay money for software when there are free alternatives, one way is to make the software more beautiful, and another is to make it easier to use.
Now let's apply that same thinking to SELinux.
First, not all open source projects have the proper incentives to support SELinux. One reason might be that the project started on one of the BSDs and its primary maintainers still use that platform. Their community may be uninterested in providing patches, and they're unlikely to write software that doesn't benefit them in some way.
Then you have the packagers. Those packages not made by people trying to get the package into the Fedora or RHEL official repositories aren't required to support SELinux, so they may choose not to if they don't themselves use SELinux.
Next there are those who just wish to install and use the software. They may not wish to dig into the package to fix SELinux problems any more than you see Joe Shellprompt fixing any of the many other other common problems you find constantly kicked back upstream through complaints in bug trackers and on mailing lists.
That takes us full circle, no one has fixed the issue, and without a sufficient change in the set of user incentives for that package, the cycle will repeat.