On 13/04/13 11:36 AM, Kevin Kofler wrote:
And I would argue that this amounts to second-guessing/duplicating what the program tries to do in an unmaintainable morass of rules, which even for the targeted policy (which is not even close to covering all programs in Fedora other than as "unconfined") keeps having bugs which need to be fixed every day, even after YEARS of debugging. SELinux just does not scale,
SELinux keeps having bugs *because* they progressively build out the policies. The coverage of the -targeted policy is now greater than it was a few releases back. If they kept the coverage of the stock policies the same over time there would be almost no new bugs, but instead, they increase the coverage and hence the security it provides progressively with each release. *Some* bugs are associated with files moving or program functionality changing or whatever, but most are just the result of the policies growing: the 'scaling' that you say isn't working.
-- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
