Rein Fernhout writes:
On 10/11/2025 13:52, Sam Varshavchik wrote:I might be wrong, but AFAIK Fedora/RHEL is the only Linux distribution that still screws around with SELinux.OpenSUSE (and SUSE) also. Earlier this year OpenSUSE enabled SELinux per default on their rolling release distribution. [1]Overall the experience has been exactly as you described here. Continuously hunting down missing policies even for core packages.[1]: https://lists.opensuse.org/archives/list/[email protected]/ thread/YN4TCBCU4A2V5G2MWR5EWYF46267BO7F/
Conceptually, a complicated technical ecosystem like SELinux can only meaningfully scale if the barrier of entry is low enough for the upstream sources to be able to easily supply the SELinux policy, as part of the package.
Originally, it was expected that SELinux will become very popular and take over the Linux scene by storm. It was thought that there wasn't much need to provide a rich set of resources for learning how to use SELinux. After all, everyone will simply have to deal with it, if they wish to play with the big boys.
That, obviously, hasn't happened. Let's be frank: SELinux only exists as part of a very small number of non-leading Linux distributions. Who are forced to take on responsibility of maintaining the SELinux policy for all of their packages, thus engaging in a perpetual whack-a-mole.
Additionally, having a system where only distribution-provided packages can be meaningfully used would …not be what Linux is all about, so, additionally, some effort has to be set aside for writing policies for popular Linux packages who are not in the distribution. I became aware, some time ago, that Fedora's SELinux policy package includes a bunch of policies for non-distro packages. I don't have much data on how well this is working out. My data set consists of a grand total of one such package, whose Fedora- provided SELinux policy has some major, major gaps.
pgp3ohLO6Q9KP.pgp
Description: PGP signature
-- _______________________________________________ users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
