Warren Young wrote:
On 12/9/2010 1:54 AM, David Sommerseth wrote:
For the vast majority of issues with SELinux, it possible to overcome them using the provided tools.
Of course, but I think you're mistaking "possible" for "practical". Everyone has different incentives and constraints.
Allow me build an analogy with GUI program design. The tools provided with the OS are sufficient for any program to be beautifully designed. We have powerful graphics editors, solid GUI libraries, mature GUI builders, and unprecedentedly powerful means for finding and attracting design talent. Yet, most Linux GUI programs are not as nicely designed as the best counterparts on Windows and OS X.
Why?
Well, because what most people see, or buy, is WinDoze, so that's where the money is.
On Windows and OS X, the incentives are different. More software costs money, and among the ways to convince people to pay money for software when there are free alternatives, one way is to make the software more beautiful, and another is to make it easier to use.
Also, Apple dictates style; to a lesser degree, so does M$. There's no dictated style guide for Linux.
Now let's apply that same thinking to SELinux.
First, not all open source projects have the proper incentives to support SELinux. One reason might be that the project started on one of
<snip>
Then you have the packagers. Those packages not made by people trying
<snip>
Next there are those who just wish to install and use the software. They may not wish to dig into the package to fix SELinux problems any more than you see Joe Shellprompt fixing any of the many other other common problems you find constantly kicked back upstream through complaints in bug trackers and on mailing lists.
Here's the big one. I've got enough to do without adding selinux on top of the mix. As I said, on almost all our boxen, it's disabled. <snip> mark