From mboxrd@z Thu Jan  1 00:00:00 1970
From: dominick.grift@gmail.com (Dominick Grift)
Date: Wed, 23 Oct 2013 21:13:11 +0200
Subject: [refpolicy] I think we made a large mistake when we designed
 apache_content_template.
In-Reply-To: <52680DF1.3000700@redhat.com>
References: <52680DF1.3000700@redhat.com>
Message-ID: <1382555591.3041.110.camel@d30>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, 2013-10-23 at 13:57 -0400, Daniel J Walsh wrote:

> ...
> 
> Then tools can look for all content which begins bugzilla and have the correct
> types drawn.
> 

I don't have any issues with this change in apache module, but i think
its a dead end because sooner or later things will break. just because
of the configurability of SELinux

The nature of SELinux is that it is configurable, and my opinion is that
user space should acknowledge this and not depend on things that are
not , or might not always, be fixed, or according to "standards". Like
how people name their identifiers

Its kind of like the issue that cgroups are facing i guess in a sense:

https://www.youtube.com/watch?v=MSG4jW187Is

A solution might be to create single handler of SELinux policy that
validates the policy. Identifiers that do not meet the requirements will
be rejected by the handler (or it should not even be possible to create
identifiers that might break your tools).

This , kind of assures, that your tools can rely on the standards you
set.

Of course the handler should be eventually be optional, but fedora could
"enforce its use"  or at least encourage it.

But even then, how does one create an handler for such a flexible
framework as selinux and who is going to maintain it?

.. Maybe its better to just not let your tools make such assumptions in
the first place