> While I agree that per-application policy overrides would be really
helpful, these suggested solutions are overkill.

Overkill is SELinux's middle name isn't it. :P It always struck me as being
intentionally heavy handed... which is kind of a good thing if you're
looking for control above all else. That being said though...

> In any case, this seems like functionality best provided by
crypto-policies itself.

Agreed, the simpler and less code complex the better.


On Mon, May 2, 2022 at 12:27 PM Robbie Harwood <rharw...@redhat.com> wrote:

> JT <j...@obs-sec.com> writes:
>
> >> IMO, there's a rather desperate need to be able to override the
> >> system-wide policy for individual processes, maybe via some sort of
> >> wrapper around one of the containerization technologies.
> >
> > Alternatively I wouldn't be surprised if at some point the industry
> > doesn't unofficially opt for a legacy openssl option which could be
> > utilized by legacy code, but still allow all the modern code to use
> > the new stuff.  But of course if that did exist, tons of people would
> > just refuse to update their code and deps because they have an option
> > not to.
>
> While I agree that per-application policy overrides would be really
> helpful, these suggested solutions are overkill.
>
> Concretely, crypto-policies works by managing various configuration
> files.  All that's needed to override on a per-application or even
> per-process basis is to look at a different configuration file.
> Exposing an environment variable (when it's not already) or
> initialization option from the crypto library suffices for this.
>
> In any case, this seems like functionality best provided by
> crypto-policies itself.
>
> Be well,
> --Robbie
>
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to