On Wed, Jan 11, 2012 at 1:23 PM, Lamar Owen lowen@pari.edu wrote:
On Wednesday, January 11, 2012 01:22:05 PM Les Mikesell wrote:
I don't think of myself as a 'normal user', but I still don't appreciate it when a distribution goes out of its way to arbitrarily modify and break what application developers spent years designing and writing.
SELinux does not 'go out of its way' to 'break' anything; rather, SELinux enforces a deny by default 'need to access' policy.
Yes, the breakage came from having someone who didn't understand the needs define that policy.
If you need to special-case stuff, then you need to do an analysis of the special cases you need to create; this is what a testing server running SELinux in permissive mode is for, as there is no better analysis of what SELinux needs than SELinux in permissive mode loggin what your application is using. Get the logs and run audit2allow and package that as a piece of your applications' SELinux policies.
So if an application only needs to do something once at some future time, what happens? If you write an application that will need to do something at some rare future time, what is the standard way to tell distribution packaging systems and system administrators to permit it?
That is new, but it isn't very hard.
Doesn't that really depend on what the application needs to do?