[refpolicy] I think we made a large mistake when we designed apache_content_template.

All of lore.kernel.org
 help / color / mirror / Atom feed

From: dominick.grift@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] I think we made a large mistake when we designed apache_content_template.
Date: Wed, 23 Oct 2013 21:13:11 +0200	[thread overview]
Message-ID: <1382555591.3041.110.camel@d30> (raw)
In-Reply-To: <52680DF1.3000700@redhat.com>

On Wed, 2013-10-23 at 13:57 -0400, Daniel J Walsh wrote:

> ...
> 
> Then tools can look for all content which begins bugzilla and have the correct
> types drawn.
> 

I don't have any issues with this change in apache module, but i think
its a dead end because sooner or later things will break. just because
of the configurability of SELinux

The nature of SELinux is that it is configurable, and my opinion is that
user space should acknowledge this and not depend on things that are
not , or might not always, be fixed, or according to "standards". Like
how people name their identifiers

Its kind of like the issue that cgroups are facing i guess in a sense:

https://www.youtube.com/watch?v=MSG4jW187Is

A solution might be to create single handler of SELinux policy that
validates the policy. Identifiers that do not meet the requirements will
be rejected by the handler (or it should not even be possible to create
identifiers that might break your tools).

This , kind of assures, that your tools can rely on the standards you
set.

Of course the handler should be eventually be optional, but fedora could
"enforce its use"  or at least encourage it.

But even then, how does one create an handler for such a flexible
framework as selinux and who is going to maintain it?

.. Maybe its better to just not let your tools make such assumptions in
the first place

next prev parent reply	other threads:[~2013-10-23 19:13 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-10-23 17:57 [refpolicy] I think we made a large mistake when we designed apache_content_template Daniel J Walsh
2013-10-23 19:13 ` Dominick Grift [this message]
2013-10-23 19:14 ` Sven Vermeulen
2013-10-23 19:29   ` Dominick Grift
2013-10-23 19:30     ` Dominick Grift
2013-10-23 19:40     ` Daniel J Walsh
2013-10-23 19:38 ` Dominick Grift
2013-10-23 19:44   ` Daniel J Walsh
2013-10-23 20:22     ` Dominick Grift

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1382555591.3041.110.camel@d30 \
    --to=dominick.grift@gmail.com \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.