On Wed, Jan 11, 2012 at 3:30 PM, Lamar Owen lowen@pari.edu wrote:
Yes, the breakage came from having someone who didn't understand the needs define that policy.
'Going out of its way to break' something means knowing what is needed for something to work, and intentionally preventing it from working. I'm reminded of DR-DOS years ago....
You can't intentionally break the thing of which you weren't aware; such breakage is not intentional.
Imposing a policy to deny things is intentional. And doing it without knowing the details of the needed exceptions isn't accidental.
... what is the standard way to tell distribution packaging systems and system administrators to permit it?
An SELinux policy set. Seriously. Set up variables or whatnot to specify filepaths if you need to.
Is there a namespace delegation or some central coordinator for that? How do two different policy writers avoid accidentally using the same terms for different things?
That is new, but it isn't very hard.
Doesn't that really depend on what the application needs to do?
No, unless the application is doing something dangerous. OpenNMS (for one) does some dangerous (in the security context) things, but the RPM packages I've run 'just worked' from the repository, to the best of my recollection (I did some fairly major network reconfiguration, and need to reinstantiate my OpenNMS instance, and when I do it will be on a different VM running C6, assuming the OpenNMS yum repo is up to date).
But, but... You are running in targeted mode and OpenNMS just isn't one of the targeted applications. That doesn't fix anything going forward.