On 10/25/14 10:28, stephen Turner wrote: > Isnt part of the idea behind kiss is security? And if you were to > include selinux wouldnt you want to reduce that code as well?
Yes, but "all or none" is the easiest granularity. If we have a thing in toybox to set selinux entries (which this apparently does), then we should at least have code in cp/mv to preserve them, and code in "ls" to display them. (I'm reluctant to have _partial_ support for something, which is by itself useless.) I honestly don't know what the rest of the minimum support criteria _are_. I suppose I could grep busybox to see which command names it shows up in there. My own experience with it was either figuring out how to phrase "noselinux" for the system at hand, or leaving it as somebody else's problem for sysadmin du jour who wanted it. The thing is: often you have to know a problem domain really well in order to say what the minimal set of required functionality actually _is_. I do not know selinux that well. I have a decent understanding of classic unix security and I think that _is_ the minimal subset. (Modulo groups being sort of a legacy feature, especially once containers go in.) I want to add container support on top of classic unix security, but unfortunately the people implementing it have a hammer (capabilities! selinux! extended attributes! systemd!) and thus will _find_ excuses to use this crap despite its seeming uselessness... Possibly containers _don't_ actually need this mess. I really hope not. But I don't feel I understand the concept well enough to go all: http://www.girlgeniusonline.com/comic.php?date=20030625 on it yet. (It sounds like Andy may already have done so, but I need to learn more to evaluate it.) But I've kinda been hip-deep in sed this past week... Rob _______________________________________________ Toybox mailing list [email protected] http://lists.landley.net/listinfo.cgi/toybox-landley.net
