Received: by 2002:a25:683:0:0:0:0:0 with SMTP id 125csp406635ybg; Fri, 12 Jun 2020 04:53:52 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzwv00IfCe1l1UlVgYR/eVEO4EhLCDtzRPgd7bukV9vKsPYZ6bhLBOIdblG4NDfHbHD0boH X-Received: by 2002:a50:f106:: with SMTP id w6mr11337170edl.131.1591962832527; Fri, 12 Jun 2020 04:53:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1591962832; cv=none; d=google.com; s=arc-20160816; b=zhzkdPIgnUUgtsCiVZCv/d1B6GeUSA7mY2Yrp8Rm81hDTtvzN1X4VIFMDmeBM2HkbT 8QlXAEpy1yj2sOMTDA0BNE6c8iM5JpDg2GkRRvzv+WgEYj+anxES3nvEUppsmnexoxaD RlqBvScMXEvyprSgFtzXIKQI31Wvm8qWB6JW0fVOQzHHU8C+IdFbOf//8NxmFLJoEFt3 rgVgIf+/VqrYKoxbVdNsCm58UxneTWFv27l60DyTtiP/DmhWzkn0nUd9w3+ftqILwSav dwkhfwTcsXoaTCqDhc9X1QrXr7BlTIlqv6dicSW6xNgdOfXWQDpFXQZmZd1I4ucX8vhk oG2A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=7HtxxVU34Vbl2v9MivWIfyD4Ap11XdacD2EtNw3tIYU=; b=P6QaiK94ajJVIiY/J6ZK2zoJ+Rc5pR2JZGN+AmGn9W7G4Qlmf9MKdDkypiNRBM5Ne7 ccj5tfs3HRkONwl+o7gCFm7Hmz4RkVQeJmNU4usHwWfwPfJohhLItm0ePYplT4jjm0AZ PqLSM8d1WrGNN2EKESbu9mkyIBrFi+3yeMUVL6/BKu6hFChTzoqAwsV4w3VY+ozaqhgV DzCRzfZkHygNmMkFHTD2JV3GJuqzabZajfz8PuM1m9nz8ZXfhCPuH3zdEo+fVSvyFQqy 670axDCVkFYlnX15m+anEdWoc+Qr8xmORk5t6wzSSA4sLTwi0nSXeamuZo6RRuDA2+mw IAdA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=mez50Mll; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v12si3213396edy.431.2020.06.12.04.53.47; Fri, 12 Jun 2020 04:53:52 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=mez50Mll; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725872AbgFLLxn (ORCPT + 15 others); Fri, 12 Jun 2020 07:53:43 -0400 Received: from smtp.sws.net.au ([46.4.88.250]:59560 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725791AbgFLLxm (ORCPT ); Fri, 12 Jun 2020 07:53:42 -0400 Received: from liv.localnet (unknown [103.75.204.226]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: russell@coker.com.au) by smtp.sws.net.au (Postfix) with ESMTPSA id 92ED5EF1F; Fri, 12 Jun 2020 21:53:39 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1591962820; bh=7HtxxVU34Vbl2v9MivWIfyD4Ap11XdacD2EtNw3tIYU=; l=1130; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=mez50MllLT/dNhK5PCngIjP1EDMMFVsMvs0QBqpq5Gy/Cez2zzHQymgD6Z8Joa/2B BWScxTH2EDp9TcdLWaGMFpDVeRGQaD0GfrNKsBW9y1dgn3J2IWqLtJxoxKlx6f1wq0 1zQYV616nf/04dr1NbuhtK4Xjshjc0VEkONqL7eU= From: Russell Coker To: Denis Obrezkov Cc: selinux-refpolicy@vger.kernel.org Subject: Re: Are we on the wrong track? Date: Fri, 12 Jun 2020 21:53:35 +1000 Message-ID: <18730491.WiRWafRUmg@liv> In-Reply-To: References: <3243717.6S2XvbbdUs@liv> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On Friday, 12 June 2020 9:00:05 PM AEST Denis Obrezkov wrote: > At the same time, some parts of SELinux are very unstable. Like, MCS. It > was introduced and it is used only for VM management. And mcstransd is > bad. It's really bad. I was trying to use it and it was totally > unstable. So, even if someone wants to use MCS - it is almost impossible > because tools are unstable and MCS is already almost exclusively used by > VMs. Systemd has the ability to dynamically create and manage UIDs. It could do the same with MCS categories. Having systemd manage multiple daemons doing similar tasks with either MCS categories or the other systemd mechanisms (namespaces etc) used to isolate them instead of different types is something we could do. There are a heap of daemons that use a TCP or UDP socket, write to logs, and maintain a data store (database server, proxy server, dhcp server, and samba all look fairly similar from a certain perspective), having an entirely separate policy for each one doesn't seem useful. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/