On Wed, Jan 11, 2012 at 5:25 PM, Stephen Harris lists@spuddy.org wrote:
Yes, the breakage came from having someone who didn't understand the needs define that policy.
I think part of the problem is that Linux+SELinux is a _different platform_ to Linux without SELinux.
If you look at it as _one_ new platform it's not such a big problem. But I don't think you can target Linux+SELinux in the general sense.
On any Unix or Linux system I can install apache, configure it so that DocumentRoot is /mywebtree/htdocs, CGIs are in /mywebtree/cgi. The CGI can write to /myapp/tmpdir and so on. And it will work the same way on all of those platforms.
It works across platforms because the application developer has a standard way to deal with standard permissions.
On Linux+SELinux, however, you need to do additional work. The platform needs to be configured to allow this to work.
Developers need to target Linux+SELinux as if it was a new platform to be supported.
How do you avoid this really being multiplied by the number of Linux distributions if there is not a standard way for the application to include its own policy?
But what about the gazillion of apps that don't support that platform? Either you disable SELinux or you have a large support overhead (initial onboarding of app, verification that updates to app still work, verification that OS updates don't break app, etc etc).
That's why everything uses targeted mode. You only constrain the apps where you have a reasonable chance of getting it right. But with apache being the swiss army knife of services it is both the obvious thing to target and the most likely thing to get wrong.