[CentOS] SELinux - way of the future or good idea but !!!

Thu Dec 9 20:33:13 UTC 2010
Warren Young <warren at etr-usa.com>

On 12/9/2010 1:54 AM, David Sommerseth wrote:
>
> For the vast majority of issues with SELinux, it possible to overcome
> them using the provided tools.

Of course, but I think you're mistaking "possible" for "practical". 
Everyone has different incentives and constraints.

Allow me build an analogy with GUI program design.  The tools provided 
with the OS are sufficient for any program to be beautifully designed. 
We have powerful graphics editors, solid GUI libraries, mature GUI 
builders, and unprecedentedly powerful means for finding and attracting 
design talent.  Yet, most Linux GUI programs are not as nicely designed 
as the best counterparts on Windows and OS X.

Why?

Not everyone cares enough to make their GUI program beautiful, 
especially in a world where a) most of the software is free-as-in-beer; 
and b) the culture has developed a knee-jerk "if you don't like it go 
use something else we're volunteers here you ungrateful bastard" 
reaction to criticism.  (I should note here that I'm the primary 
maintainer of a popular free software package, and I, too have told 
people to go pound sand when they told me I *need to* do something in 
order to make my successful project succeed.  As in another post in this 
thread, I'm not disparaging here, just reporting.)

On Windows and OS X, the incentives are different.  More software costs 
money, and among the ways to convince people to pay money for software 
when there are free alternatives, one way is to make the software more 
beautiful, and another is to make it easier to use.

Now let's apply that same thinking to SELinux.

First, not all open source projects have the proper incentives to 
support SELinux.  One reason might be that the project started on one of 
the BSDs and its primary maintainers still use that platform.  Their 
community may be uninterested in providing patches, and they're unlikely 
to write software that doesn't benefit them in some way.

Then you have the packagers.  Those packages not made by people trying 
to get the package into the Fedora or RHEL official repositories aren't 
required to support SELinux, so they may choose not to if they don't 
themselves use SELinux.

Next there are those who just wish to install and use the software. 
They may not wish to dig into the package to fix SELinux problems any 
more than you see Joe Shellprompt fixing any of the many other other 
common problems you find constantly kicked back upstream through 
complaints in bug trackers and on mailing lists.

That takes us full circle, no one has fixed the issue, and without a 
sufficient change in the set of user incentives for that package, the 
cycle will repeat.