From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4EACFC433DF for ; Fri, 12 Jun 2020 11:53:43 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 1F7BD207D8 for ; Fri, 12 Jun 2020 11:53:43 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=coker.com.au header.i=@coker.com.au header.b="mez50Mll" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725872AbgFLLxn (ORCPT ); Fri, 12 Jun 2020 07:53:43 -0400 Received: from smtp.sws.net.au ([46.4.88.250]:59560 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725791AbgFLLxm (ORCPT ); Fri, 12 Jun 2020 07:53:42 -0400 Received: from liv.localnet (unknown [103.75.204.226]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: russell@coker.com.au) by smtp.sws.net.au (Postfix) with ESMTPSA id 92ED5EF1F; Fri, 12 Jun 2020 21:53:39 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1591962820; bh=7HtxxVU34Vbl2v9MivWIfyD4Ap11XdacD2EtNw3tIYU=; l=1130; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=mez50MllLT/dNhK5PCngIjP1EDMMFVsMvs0QBqpq5Gy/Cez2zzHQymgD6Z8Joa/2B BWScxTH2EDp9TcdLWaGMFpDVeRGQaD0GfrNKsBW9y1dgn3J2IWqLtJxoxKlx6f1wq0 1zQYV616nf/04dr1NbuhtK4Xjshjc0VEkONqL7eU= From: Russell Coker To: Denis Obrezkov Cc: selinux-refpolicy@vger.kernel.org Subject: Re: Are we on the wrong track? Date: Fri, 12 Jun 2020 21:53:35 +1000 Message-ID: <18730491.WiRWafRUmg@liv> In-Reply-To: References: <3243717.6S2XvbbdUs@liv> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On Friday, 12 June 2020 9:00:05 PM AEST Denis Obrezkov wrote: > At the same time, some parts of SELinux are very unstable. Like, MCS. It > was introduced and it is used only for VM management. And mcstransd is > bad. It's really bad. I was trying to use it and it was totally > unstable. So, even if someone wants to use MCS - it is almost impossible > because tools are unstable and MCS is already almost exclusively used by > VMs. Systemd has the ability to dynamically create and manage UIDs. It could do the same with MCS categories. Having systemd manage multiple daemons doing similar tasks with either MCS categories or the other systemd mechanisms (namespaces etc) used to isolate them instead of different types is something we could do. There are a heap of daemons that use a TCP or UDP socket, write to logs, and maintain a data store (database server, proxy server, dhcp server, and samba all look fairly similar from a certain perspective), having an entirely separate policy for each one doesn't seem useful. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/